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Region Based Synthesis of P/T-Nets and Its 
Potential Applications 
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Abstract. This talk is an informal presentation of ideas put forward 
by Badouel, Bernardinello, Caillaud and me for solving various types of 
P/T-net synthesis problems, with hints at the potential role of net syn- 
thesis in distributed software and distributed control. The ideas are theirs 
as much as mine. The lead is to start from Ehrenfeucht and Rozenberg’s 
axiomatic characterization of behaviours of elementary nets, based on re- 
gions, to adapt the characterization to P/T-nets in line with Mukund’s 
extended regions with integer values, and to profit from algebraic prop- 
erties of graphs and languages for converting decision problems about 
regions to linear algebra. 
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Modeling the Structural Aspect. 
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Abstract. Uppaal [UPP, BLL+98] is an integrated tool environment 
for modelling, simulating and verification of real-time and hybrid sys- 
tems, developed jointly by BRIGS at Aalborg University in Denmark and 
by DoCS at Uppsala University in Sweden. In this talk we will review 
the status of the currently distributed version of Uppaal and describe 
in more detail the ongoing developments which are to be incorporated 
in future releases of the tool. 
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Abstract. Colored nets have been recognized as a powerful modelling 
paradigm for the validation and evaluation of systems, both in terms of 
compact representation and aggregate state space generation. In this pa- 
per we discuss the issue of adding compositionality to a class of stochas- 
tic colored nets named Stochastic Well-formed Nets, in order to increase 
modularity and reuse of the modelling efforts. This requires the notion of 
Parametric Stochastic Well-formed net: nets in which a certain amount 
of information is left unspecihed, and is instantiated only upon model 
composition. The choice of the compositional rule has been based on 
previous work on layered models for integrated hardware and software 
systems (the processes, services and resources methodology), and an ex- 
ample of layered modelling with Parametric Stochastic Well-formed net 
is presented to show the efficacy of the proposed formalism. 
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3.1 A Quick Reminder of SWN 
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3.2 A Motivation for PSWN: The WRONG-MATCH Problem 
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3.3 Parametric SWN Definition 

cd t 1 n n n t Ci,x 

X 1 t n Ci 11 n n n 

Definition 1 (Parametric Stochastic Well- formed Nets). A 

11 (PSWN) is an nine-tuple: 

P, T, Pre, Post, Inh, pri, ,ed,w 



— P, T, Pre, Post, Inh, pri, and w, (that stay for places, transitions, input, 
output, inhibitor, and priority functions, and weight assignment respectively) 
are defined as for classical SWN, 

— , where C\,...,Cn is the finite set of finite color 

classes, ( i,Ci ) and XC\,...,XCn is the finite set 

of color classes 

— cd defines the color domain of places and transitions, with cd P 

", n , and cd T ( VAR ™,m , where VAR is 

the set of variables. 
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Definition 2 (Multilabeled PSWN). d ul 1 1 (MPSWN) is 

a twelve-tuple: 



P, T, Pre, Post, Inh, pri, , ed, w, 



,A 



where: 

— P, T, Pre, Post, Inh, pri, , erf andw, are defined as for PSWN, 

— X is a labeling funetion. If L is a set of labels, then the labeling is defined as 

XT L T , where L is the powerset of L, 

— t,l , with I X t is a pair (C,x) of ed t , or the empty pair — , — , 
and it is named “import funetion” of t over label I, and 

— t,l , with I X t is a list of pairs (Ci,xt), with Ci,xt ed t , or the 
empty pair — , — , and is named “export funetion” of t over label I, 
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Definition 3 (Composition e). Let’s take two LPSWN with injeetive la- 
beling i Pi,Ti,Prei,Posti,Inhi,prii, t, cdi, Wi, Xi with i 
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,2 . The LPSWN i e 2 resulting from the eomposition of 1 

and 2 on the set of labels E Ai T\ A2 T2 , is the following LPSWN: 



P, T, Pre, Post, Inh, pri, , ed, w, , , A 



with: P Pi P2, T Ti Tf T2 (all transitions of T that do not synchro- 
nize, plus all that of T2 where PL is the subset of transitions t Ti such that 

A t E); 

if 2 f where f is the subset of that is instantiated 
to basic color classes thanks to import operations on the labels of E; 

1 f 2 2 ^ where f represents the restriction of j 

to the subset of labels E and 1 f 2 2 > where f 

represents the restriction of j to the subset of labels E, moreover 

if t Ti Tf 

if t T2 T^ 

2 ^5 ^ 

I t ,l if t Tf ,\2 t Xi t I 



cd t 



cdi t 
cd 2 t 

cdi t 1 
cd 2 t 



t , I 
2 ^ 



where i t ,l j t, I represents the substitutions due to the unification 

of color classes and variables caused by the import of i and the export of j, with 

i j; 

. „ cdi p if p Pi 

^ cd2P if P P 2 



where cdi P P where all parametric classes in f have been substituted 

by the corresponding basic color classes of j,i j imported through L^; for 
Fi PrCi, Posti, Inhi , we define: 
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and, again, F- stands for Fi where variables of colors belonging to f have 
been substituted by the imported variables. 
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^ Observe that this operation is well defined since, due to injectivity of the labeling 
function and to the constraints imposed on PSWN, each parametric color is instan- 
tiated to exactly one basic color class 
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5 Example of PSWN Use 
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5.2 Level 7?.: The Resources Level 
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10. else u Union p dw i ,q dw i ; p and g are at the same level 

11. SetArc r,i,u ; make u the i-th child of r 

12. r CheckNode r ; store r in the unique table 

13. InsertInUC k,p,q,r ; record the result in the union cache 
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Abstract: In this paper, we suggest a requirement engineering process that 
generates a user interface prototype from scenarios and yields a formal 
specification of the system in form of a high-level Petri net. Scenarios are 
acquired in the form of sequence diagrams as defined by the Unified Modeling 
Language (UML), and are enriched with user interface information. These 
diagrams are transformed into Petri net specifications and merged to obtain a 
global Petri net specification capturing the behavior of the entire system. From 
the global specification, a user interface prototype is generated and embedded in 
a user interface builder environment for further refinement. Based on end user 
feedback, the input scenarios and the user interface prototype may be iteratively 
refined. The result of the overall process is a specification consisting of a global 
Petri net, together with the generated and refined prototype of the user interface. 
Keywords: User interface prototyping, scenario specification, high-level Petri 
net. Unified Modeling Language. 



1 Introduction 

Scenarios have been identified as an effective means for understanding requirements 
[16] and for analyzing human computer interaction [14]. A typical process for 
requirement engineering based on scenarios [7] has two main tasks. The first task 
consists of generating from scenarios specifications that describe system behavior. 
The second task concerns scenario validation with users by simulation and 
prototyping. These tasks remain tedious activities as long as they are not supported by 
automated tools. 

For the purpose of validation in early development stages, rapid prototyping tools 
are commonly and widely used. Recently, many advances have been made in user 
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interface (UI) prototyping tools like UI builders and UI management systems. Yet, the 
development of UIs is still time-consuming, since every UI object has to be created 
and laid out explicitly. Also, specifications of dialogue controls must be added by 
programming (for UI builders) or via a specialized language (for UI management 
systems). 

This paper suggests an approach for requirements engineering that is based on the 
Unified Modeling Language (UML) and high-level Petri nets. The approach provides 
an iterative, four-step process with limited manual intervention for deriving a 
prototype of the UI from scenarios and for generating a formal specification of the 
system. As a first step in the process, the use case diagram of the system as defined by 
the UML is elaborated, and for each use case occurring in the diagram, scenarios are 
acquired in the form of UML sequence diagrams and enriched with UI information. In 
the second step, the use case diagram and all sequence diagrams are transformed into 
Colored Petri Nets (CPNs). In step three, the CPNs describing one particular use case 
are integrated into one single CPN, and the CPNs obtained in this way are linked with 
the CPN derived from the use case diagram to form a global CPN capturing the 
behavior of the entire system. Finally, in step four, a prototype of the UI of the system 
is generated from the global CPN and embedded in a UI builder environment for 
further refinement. 

In our previous work, we have investigated and implemented the generation of UI 
prototypes from UML scenarios using exclusively the UML, most notably UML 
Statecharts [5, 13, 21, 22]. In this Statechart-based approach, Statecharts are used to 
integrate the UML scenarios and capture object and UI behavior. In the work 
presented in this paper, we decided to take a Petri-net based approach, with CPNs 
taking the role of UML Statecharts. We opted for Petri nets because of their strong 
support of concurrency, their ability to capture and simulate multiple copies of 
scenarios in the same specification, and for the wealth of available tools for analyzing, 
simulating, and verifying Petri nets. A comparison of the two approaches is provided 
in Section 5 of the paper. 

In our approach, we aim to model separately the use case and the scenario levels. 
We also want to keep track of scenarios after their integration. Thus, we need a PN 
class that supports hierarchies as well as colors or objects to distinguish between 
scenarios in the resulting specification. We adopted Jensen’s definition of CPN [10] 
which is widely accepted and supported by the designCPN tool [3] for editing, 
simulating, and verifying CPNs. Object PNs could also have been used, but CPNs are 
largely sufficient for this work. In our current implementation, UI prototyping is 
embedded into the Visual Cafe environment [23] for further refinement. 

Section 2 of this paper gives a brief overview of the UML diagrams relevant to our 
work and introduces a running example. In Section 3, the four activities leading from 
scenarios to executable UI prototypes are detailed. Section 4 reviews related work, 
and in Section 5, we discuss a number of issues related to the proposed approach. 
Section 6 concludes the paper and provides an outlook into future work. 



2 Unified Modeling Language 

The UML [19], which is emerging as a standard language for object-oriented 
modeling, provides a syntactic notation to describe all major views of a system using 
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different kinds of diagrams. In this section, we discuss the three UML diagrams that 
are relevant for our work: Class diagram (ClassD), Use Case diagram (UsecaseD), 
and Sequence diagram (SequenceD). As a running example, we have chosen to study 
a part of an extended version of the Automatic Teller Machine (ATM) system 
described in [2] . 



2.1 Class Diagram (ClassD) 

The ClassD represents the static structure of the system. It identifies all the classes for 
a proposed system and specifies for each class its attributes, operations, and 
relationships to other objects. Relationships include inheritance, association, and 
aggregation. The ClassD is the central diagram of UML modeling. Figure 1 depicts 
the ClassD for the ATM system. 




Figure 1: Class diagram of the ATM system. 



2.2 Use Case Diagram (UsecaseD) 

The UsecaseD is concerned with the interaction between the system and actors 
(objects outside the system that interact directly with it). It presents a collection of use 
cases and their corresponding external actors. A use case is a generic description of an 
entire transaction involving several objects of the system. Use cases are represented as 
ellipses, and actors are depicted as icons connected with solid lines to the use cases 
they interact with. One use case can call upon the services of another use case. Such a 
relation is called a uses relation and is represented by a directed solid line. Figure 2 
shows as an example the UsecaseD corresponding to the ATM system. The extends 
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relation, which is also defined in UsecaseDs, can be seen as a uses relation with an 
additional condition upon the call. A UsecaseD is helpful in visualizing the context of 
a system and the boundaries of the system’s behavior. A given use case is typically 
characterized by multiple scenarios. 




Figure 2: Use Case diagram of the ATM system. 



2.3 Sequence Diagram (SequenceD) 

A scenario shows a particular series of interactions among objects in a single 
execution (instance) of a use case. Scenarios can be viewed in two different ways: 
through SequenceDs or collaboration diagrams. Both types of diagrams rely on the 
same underlying semantics, and conversion from one to the other is possible. For our 
work, we chose to use SequenceDs for their simplicity and wide use. 

A SequenceD shows the interactions among the objects participating in a scenario 
in temporal order. It depicts the objects by their lifelines and shows the messages they 
exchange in time sequence. However, it does not capture the associations among the 
objects. A SequenceD has two dimensions: the vertical dimension represents time, 
and the horizontal dimension represents the objects. Messages are shown as 
horizontal solid arrows from the lifeline of the object sender to the lifeline of the 
object receiver. A message may be guarded by a condition, annotated by iteration or 
concurrency information, and/or constrained by an expression. Constraints are used in 
our work to enrich messages with UI information. 

Figures 3 and 4 depict two SequenceDs of the use case Identify. Figure 3 represents 
the scenario where the customer is correctly identified (regularldentify), whereas 
Figure 4 shows the case where the customer entered an incorrect pin (error Identify). 
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Figure 3: Scenario regularldentify of the use case Identify. 
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Figure 4: Scenario errorldentify of the use case Identify. 



Beyond the UML standard message constraints found in SequenceDs, we define 
the two additional constraints inputData and outputData. The inputData constraint 
indicates that the corresponding message holds input information from the user. The 
outputData constraint specifies that the corresponding message carries information 
for display. Both inputData and outputData constraints have a parameter that 
indicates the kind of user action. This parameter normally represents the dependency 
between the message and the elements of the underlying ClassD. It may be either a 
method name, one or several class attributes, or a string literal (see figures 3 and 4). 

Once the analyst has specified the UI constraints of the messages in the SequenceD 
at hand, this information is used to determine the corresponding widgets that will 
appear in the UI prototype. Widget generation adheres to a list of rules, which is 
based on the terminology, heuristics and recommendations found in [8] and which 
includes the following eight items: 
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• A button widget is generated for an inputData constraint with a method as 
dependency, e.g., Insert_card() {inputData(ATM.insert_card)j in Figure 3. 

• An enabled textfield widget is generated in case of an inputData constraint 
with a dependency to an attribute of type String, Real, or Integer, e.g.. 
Enter _pin() {inputData( Account. password)} in Figure 3. 

• A group of radio buttons widgets are generated in case of an inputData 
constraint with a dependency to an attribute of type Enumeration having a size 
less than or equal to 6, e.g., Select_op() (inputData(Transaction.kind)} in 
Figure 3. 

• An enabled list widget is generated in case of an inputData constraint with a 
dependent attribute of type Enumeration having a size greater than 6 or with a 
dependent attribute of type collection. 

• An enabled table widget is generated in case of an inputData constraint with 
multiple dependent attributes. 

• A disabled textfield widget is generated for an outputData constraint with a 
dependency to an attribute of type String, Real, or Integer. 

• A label widget is generated for an outputData constraint with no dependent 
attribute, e.g., Pin_error() { outputData}" Pin Incorrect")} in Figure 4. 

• A disabled list widget is generated in case of an outputData constraint with a 
dependent attribute of type Enumeration having a size greater than 6 or with a 
dependent attribute of type collection. 

• A disabled table widget is generated in case of an outputData constraint with 
multiple dependent attributes. 



3 Description of Approach 

In this section, we detail the iterative process for deriving a system UI prototype from 
scenarios using the UML and CPNs. Figure 5 presents the sequence of activities 
involved in the proposed process. 

In the Scenario Acquisition activity, the analyst elaborates the UsecaseD, and for 
each use case, he or she elaborates several SequenceDs corresponding to the scenarios 
of the use case at hand. The Specification Building activity consists of deriving CPNs 
from the acquired UsecaseD and SequenceDs. During Scenario Integration, CPNs 
corresponding to the same use case are iteratively merged to obtain an integrated CPN 
of the use case. Integrated CPNs serve as input to both the CPN Verification and the 
UI Prototype Generation activities. During Prototype Evaluation, the generated 
prototype is executed and evaluated by the end user. In the CPN Verification activity, 
existing algorithms can be used to check behavioral properties. 

In the following subsections, we will discuss in detail the four activities of the UI 
prototyping process: scenario acquisition, specification building, scenario integration, 
and UI prototype generation. The CPN verification activity is discussed in [4]. 
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Figure 5: Activities of the proposed process. 



3.1 Scenario Acquisition 

In this activity, the analyst elaborates the UsecaseD capturing the system 
functionalities, and for each use case, he or she acquires the corresponding scenarios 
in form of SequenceDs. For instance, the UsecaseD of the ATM system is shown in 
Figure 1, and two SequenceDs of the use case Identify are given in figures 3 and 4. 

Scenarios of a given use case are classified by type and ordered by frequency of 
use. We have considered two types of scenarios: normal scenarios, which are 
executed in normal situations, and scenarios of exception executed in case of errors 
and abnormal situations. The frequency of use (or the frequency of execution) of a 
scenario is a number between 1 and 10 assigned by the analyst to indicate how often a 
given scenario is likely to occur. In our example, the use case Identify has one normal 
scenario (scenario regularldentify with frequency 10) and a scenario of exception 
(scenario errorldentify with frequency 5). This classification and ordering is used for 
the composition of UI blocks [5]. 



3.2 Specification Building 

This activity consists of deriving CPNs from both the acquired UsecaseD and all the 
SequenceDs. These derivations are explained below in the subsections Use case 
specification and scenario specification. 

3.2.1 Use Case Specification 

The CPN corresponding to the UsecaseD is derived by mapping use cases into places. 
The transition leading to one place {Enter) corresponds to the initiating action of the 
use case. A place Begin is always added to model the initial state of the system. After 
a use case execution, the system will return, via an Exit transition, back to its initial 
state for further use case executions. The place Begin may contain several tokens to 
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model concurrent executions. Figure 6 depicts the CPN derived from the ATM 
system’s UsecaseD (Figure 2). 

In a UsecaseD, a use case can call upon the services of another one via the relation 
uses. This relation may have several meanings depending on the system being 
modeled. Consider a use case UCj using a use case Uc^. Figure 7(a) shows the general 
form of this relation. The use case Uc, is decomposed into three sub-use cases: t/c„ 
represents the part of Uc, executed before the call of Uc ,2 represents the part of 
Uc, that is concurrently executed with Uc^, and UCj^ represents the part executed after 
the termination of Uc^. Note that one or two of these three sub-use cases may be 
empty. The figures 7(a) through 7(g) depict the eight possible mappings. 




Figure 6: CPN derived from the UsecaseD of the ATM system. 

A relation of type (g) between t/c, and Uc^ means that Uc^ precedes Uc,. This implies 
that UCj is not directly accessible from the place Begin. So the transitions from the 
place Begin to the place representing Uc, must be substituted for an Enter transition 
into Uc^ and an Enter transition from Uc j 'vato Uc^. In the ATM system (Figure 1), all 
three uses relations are of type (g), and the initial CPN (Figure 7) must be updated 
accordingly (Figure 9(a)). 




Figure 7: Possible mappings of the uses relation (Uc, Uc^. 
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The designCPN tool, which we adopted in our work, allows for the refinement of 
transitions, hut does not support the refinement of places. Therefore, in order to 
substitute the use cases, which are represented as places, for CPNs representing 
integrated scenarios (see Subsection 3.3), the CPN obtained after processing the uses 
relation (Figure 8(a)) requires adaptation: each subnet Enter place^ Exit is 
substituted for a simple transition representing the use case underlying place, (cf. 
dashed ellipse in Figure 8(a)), and intermediary places such as endldentify are inserted 
(see Figure 8(b)). 




(a) (b) 

Figure 8: CPN of the UsecaseD of the ATM system after (a) processing the uses relation, 
and (b) adaptation to designCPN. 



3.2.2 Scenario Specification 

For each scenario of a given use case, the analyst builds an associated table of object 
states. This table is directly obtained from the SequenceD of the scenario by 
following the exchange of messages from top to bottom and identifying the changes 
in object states caused by the messages. For example, tables 1 and 2 show the object 
state tables associated with the scenarios regularldentify (Figure 3) and errorldentify 
(Figure 4). In such tables, a scenario state is represented by the state vector of the 
objects participating in the scenario (column Scenario state in Table 1 and 2, resp.). 

From each object state table, a CPN is generated by transforming scenario states 
into places, and messages into transitions (see figures 9 and 10)^. Each scenario is 
assigned a distinct color, e.g., rid for the regularldentify scenario, and eid for the 
errorldentify scenario. All CPNs (scenarios) of the same use case will have the same 
initial place (state) which we call B in figures 9 and 10. This place will serve to link 
the integrated CPN (see below) with the CPN modeling the UsecaseD of the system 
(Figure 8(b)). 



^ For readability, we do not show screen dumps produced by designCPN, but replace them with 
CPNs redrawn by hand. 
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Objects 

Messages\„^^ 


Cus- 

tomer 


ATM 


Bank 


Account 


Scenario state 


Insert_card 


Present 


Card_in 


void 


void 


Sl={ Present, Card_in, 
void, void) 


Enter_pin 


Present 


Pin-entered 


void 


void 


S2=| Present, Pin_entered, 
void, void ) 


Connect 


Present 


Pin-entered 


Connected 


void 


S3={ Present, Pin_entered, 
Connected, void } 


Check 


Present 


Pin-entered 


Connected 


Checked 


S4={ Present, Pin_entered, 
Connected, Checked) 


Pin_ok 


Present 


Pin-entered 


Valid_pin 


Checked 


S5={ Present, Pin_entered, 
Valid_pin, Checked) 


Card_ok 


Present 


Valid-card 


Valid_pin 


Checked 


S6=|Present, Vaild_card, 
Valid_pin, Checked) 


Select_op 


Present 


Selection 


Valid_pin 


Checked 


S7={ Present, Selection, 
Valid_pin, Checked) 


Confirm 


Present 


Confir- 

mation 


Valid_pin 


Checked 


S8= { Present, Confirmation, 
Valid_pin, Checked) 



Table 1: Object state table associated with the scenario regularldentify. 



Objects 

Messages'\^^ 


Cus- 

tomer 


ATM 


Bank 


Account 


Scenario state 


lnsert_card 


Present 


Card_in 


void 


void 


Sl={Present, Card_in, void, 
void) 


Enter_pin 


Present 


Pin-entered 


void 


void 


S2={ Present, Pin_entered, 
void, void) 


Connect 


Present 


Pin-entered 


Connected 


void 


S3={Present, Pin_entered, 
Connected) 


Check 


Present 


Pin-entered 


Connected 


Checked 


S4={ Present, Pin_entered, 
Connected, Checked ) 


lnvalid_pin 


Present 


Pin-entered 


Invalid_pin 


Checked 


S9={ Present, Pin_entered, 
Invalid_pin, Checked ) 


lnvalid_card 


Present 


Invalid- 

card 


lnvalid_pin 


Checked 


S 10= { Present, Invalid_card, 
Invalid_pin, Checked ) 


Pin_error 


Present 


Invalid_pin 


Invalid_pin 


Checked 


SI 1=1 Present, lnvalid_pin, 
Invalid_pin, Checked ) 


Eject_card 


Present 


Idle 


Invalid_pin 


Checked 


SI 2= {Present, Idle, 

Invalid_pin, Checked ) 



Table 2: Object state table associated with the scenario errorldentify. 
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Figure 9: CPN corresponding to the regularldentify scenario. 




Figure 10: CPN corresponding to the errorldentify scenario. 



Note that in scenario specification, only the building of the object state tables is 
manual. The rest of the operation is fully automatic. 

The next activity of the approach, scenario integration, requires as input serialized 
CPNs. Since designCPN uses SGML as interchange format and since conversion 
tools between SGML, XML, and Java are readily available, we decided to represent 
CPNs in XML. In our current implementation, we use the transformation scheme as 
depicted in Figure 11. Using the designCPN tool, the analyst will edit and then save 
the use case CPN and all scenario CPNs into the textual SGML format. Then, the SX 
tool [1] is used to do the conversion from SGML to rough XML (RXML), and the 
XJParse Java program [9] to convert RXML into XML. 
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Figure 11: Generation of CPNs in XML format from UsecaseD and SequenceDs. 



3.3 Scenario Integration 

In this activity, we aim to merge all CPNs corresponding to the scenarios of a use case 
UCj, in order to produce an integrated CPN modeling the behavior of the use case. Our 
algorithm is based on a preliminary version presented in [ 6 ]. It takes an incremental 
approach to integration. Given two scenarios with corresponding CPNs CPN i and 
CPN2, the algorithm merges all places in CPN; and CPN2 having the same names. 
The merged places will have as color the union of the colors of the two scenarios. 
Then, the algorithm looks for transitions having the same input and output places in 
the two scenarios and merges them with an OR between their guard conditions. In the 
following, we describe the algorithm in pseudocode, using the “dot”-notation known 
from object-oriented languages. 

Uc, . IntergrateScenarios ( ) 

scList = Uc, . getListOf Scenarios () ; 

// returns the list of scenarios of the use case Uc^ 
uc_cpn = getXML (scList [0] ) ; 

// returns the XML file corresponding to the scenario scList[0]. 
i=l ; 

while (i < scList . size () ) 

sc_cpn = getXML (scList (i) ) ; 

sc_cpn = makeUniguelD ( uc_cpn, sc_cpn) ; 

uc_cpn = merge (uc_cpn, sc_cpn) ; 

i=i+l; 

end 

end Uc^ . IntergrateScenarios 



XML identifies each element in a CPN (place, transition, edge, etc.) by a distinct 
identifier (ID). Before integrating two scenarios, the method makeUniqueiD checks if 
both the two input files uc_cpn and sc_cpn comprise distinct IDs. In case they share 
common IDs, makeUniqueiD will modify the IDs of sc_cpn by adding the maximum 
ID of uc_cpn to all IDs of sc_cpn. 

Merging (integrating) two scenarios whose CPNs have the colors [scj and [scj, 
respectively, will produce a CPN with the list [sc,, scj as color. The operation of 
merging follows the steps described below: 








178 



Mohammed Elkoutbi and Rudolf K. Keller 



merge (uc_cpn, sc_cpn) 

uc_cpn. addPlaces ( sc_cpn) 

// adds in uc_cpn places of sc_cpn that do not exist in uc_cpn 
for each t in sc_cpn . getListOf Transitions ( ) 
t' = uc_cpn.LookForTrans (t) 

// t' is a transition of uc_cpn with ‘t^^t ' and t»=t ' • 
if (t' does not exist) 
uc_cpn . addtrans ( t ) 
end if 

end 

uc_cpn. addEdges (sc_cpn) 

// adds to uc_cpn edges of sc_cpn that do not exist in uc_cpn 
uc_cpn.mergeColors (sc_cpn) 

// calculates the new color of the integrated CPN (uc_cpn) 
uc_cpn . putColorsOnPlaces ( sc_cpn) 

// all places of the net will have the merged color 
uc_cpn . putGuardOnTransit ions ( sc_cpn ) 

// common transitions will be guarded by the merged color, 

// the others will be guarded by their original colors 
uc_cpn . putVar iablesOnEdges ( sc_cpn) 

// put on edges variables or token expressions 
end merge 



The result of applying this algorithm on the two scenarios of the use case Identify 
(figures 9 and 10) is shown in Figure 12. 




Figure 12: CPN of the use case Identify after merging the scenarios regularldentify and 

errorldentify . 



When integrating several scenarios, the resulting specification captures in general 
not only the input scenarios, hut perhaps even more. Figure 13 gives an example 
illustrating this issue: the resulting scenario Sc will capture the initial scenarios Scj 
(T],T 2 ,Ts,T 4 ,Ts) and Sc 2 (T],Tg,Ty,T 4 ,Tg), as well as the two new scenarios 
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(Tj,T2,Ts,T4,Tg) and (T j,T^,T-/,T4,Ts). After integrating the two scenarios, the initial 
place B (see Figure 13) will be shared, yet we do not know which scenario will be 
executed, and neither the color of Scj nor the color of Sc2 can be assigned to B. This 
problem was described by Koskimies and Makinen [12], and we refer to it as 
interleaving problem [6]. 

To solve the interleaving problem, we introduce a chameleon token, i.e., a token 
that can take on several colors [6]. Using designCPN, a chameleon token is modeled 
by a list of colors. Upon visiting the places of the integrated net, it will be marked by 
the intersection of its colors and the colors of the place being visited. When the token 
passes to the place Si, it keeps the composite color [sci, SC2], and if it passes from Sj 
to S2, its color changes to [scj] and will remain unchanged for the rest of its journey, 
or if it passes from Sj to Sg, its color changes to [ SC2] and will remain unchanged for 
the rest of its journey. 




Figure 13: Interleaving problem of scenario integration: (a) scenario Sc^, (b) scenario Sc^ 
and (c) integrated scenario Sc. 
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Transitions that belong to only one of the scenarios Sc, and Sc, will be guarded by 
the color of their respective scenarios (see and T„ in Figure 13(c)). But this is 

not the case for the transitions T, and T„ which are required to transform tokens from 
the composite color (list of colors) to a single color. Therefore, they must be guarded 
by the list of colors. For transitions that are shared by the two scenarios Sc, and Sc,, 
they will be guarded by the composite color (see T, in Figure 13(c)) or by a 
disjunction of single colors of scenarios (see in Figure 13(c)). 

An integrated CPN corresponding to a given use case can be connected to the CPN 
derived from the UsecaseD through a transition that is appended to the place B of the 
integrated CPN. This transition transforms the uncolored tokens of the CPN of the 
UsecaseD to the composite color of the integrated CPN. 



3.4 User Interface Prototype Generation 

In this activity, we derive from the CPN specifications a UI prototype of the system. 
The generated prototype is standalone and comprises a menu to switch between the 
different use cases. The various screens of the prototype represent the static aspect of 
the UI; the dynamic aspect of the UI, as captured in the CPN specifications, maps into 
the dialog control of the prototype. In our current implementation, prototypes are Java 
applications comprising each a number of frames and navigation functionality (see 
Figure 14). 

The activity of prototype generation is composed of the following five operations 
which are described in detail in [6] . 

• Generating graph of transitions. 

• Masking non-interactive transitions. 

• Identifying UI blocks. 

• Composing UI blocks. 

• Generating frames from composed UI blocks. 

These operations follow closely the corresponding operations in the Statechart- 
based approach [6], except for the operation of generating the graph of transitions. 
This operation consists of deriving a directed graph of transitions (GT) from the CPN 
of a given use case. Transitions of the CPN will represent the nodes of the GT, and 
edges will indicate the precedence of execution among transitions: if two transitions 
T, and T, are consecutively executed, there will be an edge between the nodes 
representing T, and T,. 

A GT has a list of nodes nodeList, a list of edges edgeList, and a list of initial nodes 
initialNodeList (entry nodes of the graph). The list of nodes nodeList of a GT is easily 
obtained since it corresponds to the transition list of the CPN at hand. The list of 
edges edgeList of a GT is obtained by linking the transitions in »p with the ones in p» 
for each place p in the CPN . 
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Figure 14: Prototype execution of the ATM system. 

To support prototype execution, a Simulation Window is generated (Figure 14, 
bottom window), as well as a dialog box to Choose Scenarios (Figure 14, middle- 
right window). For example, after selecting the use case Identify from the UseCases 
menu (Figure 14, top window), a message is displayed in the simulation window that 
confirms the use case selection and prompts the user to click the button lnsert_card. 
When this button is clicked, the fields Password and Select Operation are enabled. 
Then, the simulator prompts the user for information entry. When execution reaches a 
node in GT from which several continuation paths are possible (e.g., button Confirm 
clicked), the prototype displays the dialog box for scenario selection. In the example 
of Figure 14, the upper selection corresponds to the scenario regularldentify and the 
lower one to the scenario errorldentify. Once a path has heen selected, the traversal of 
GT continues. 



4 Related Work 

In this section, we review some related work in the area of UI specification and 
automatic generation based on Petri nets. Each of the three approaches presented 
below suggests some high-level UI specification, yet none of them generates these 
specifications from scenario descriptions. For a discussion of work dealing with the 
simulation of specifications and with UI generation from specifications other than 
Petri nets refer to [5]. 

In the TADEUS approach [20] (TAsk-based DEvelopment of User interface 
Software), the development of the UI follows three stages: the requirements analysis 
and specification, the dialogue design, and the generation of the UI prototype. During 
the dialogue design stage, two levels of dialogues are manually built: the navigation 
dialogue that describes the sequencing between different task presentation units 
(dialogue views), and the processing dialogue that describes the changes on UI 
objects inside a dialogue view. The result of generation is a script file for an existing 
UI management system. Dialogue graphs is the formalism used to specify dialogues. 
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It is Petri net based, and it permits to model easily different types of dialogues (single, 
multi, modal, etc.). In this approach, dialogues are manually defined by the UI 
developer. 

Palanque et al. [15] provide the Interactive Cooperative Objects (ICO) formalism 
for designing interactive systems. Using ICO, an object of the system has four 
components: a data structure, a set of operations representing the services offered by 
the object, an object control structure defining the object behavior with high-level 
Petri nets, and a presentation structured as a set of widgets. The windows of the UI 
and their interrelations are modeled with ICO objects. This approach is completely 
manual, wheras in our approach the only manual operation is the building of the 
object state tables (see Section 3.2.2). 

De Rosis et al. [17] propose a task-based approach using Petri nets to describe 
interactive behavior. They represent a UI by a CPN where transitions are the tasks of 
the system and places represent the information display after a task execution. A 
logical projection function is associated to places and transitions of the CPN in order 
to describe in form of conditions the user actions and the information displayed as a 
result of performing actions. To complete the UI description, the designer links the 
physical aspect of the interface to the CPN by means of a physical projection 
function. This work focuses on specifying the UI, yet does not address UI generation. 



5 Discussion of Approach 

Below, we discuss our approach in respect to the following points: scenario-based 
approach, system and object views, visual formalisms for modeling interactive 
systems, and validation of approach. 



5.1 Scenario-Based Approach 

Our approach to UI generation exhibits the advantages of scenario-based techniques. 
In contrast to many data-oriented methods, UIs are generated from specifications 
describing dynamic system behavior, which are derived from task analysis. Once they 
are generated, data specifications may be used as the basis for further refinements. In 
line with Rosson [18] who advocates a “model-first, middle-out design approach” that 
interleaves the modeling of objects and scenarios, we put the emphasis on the 
(dynamic) modeling aspect, and generate the dynamic core of UIs rather than focus 
on screen design and the user-system dialog. 

As scenarios are partial descriptions, there is a need to elicit all possible scenarios 
of the system to produce a complete specification. In our approach, colors of Petri 
nets are used to inhibit scenario interleaving, that is, the resulting specifications will 
capture exactly the input scenarios. The integration algorithm can be configured to 
allow scenario interleaving and to capture more than the mere input scenarios. In this 
way, new scenarios may be generated from already existing ones. 

It is well known that scalability is an inherent problem when dealing with scenarios 
for large applications. Our approach eases this problem by integrating scenarios on a 
per use case basis, rather than treating them as an unstructured mass of scenarios. 
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5.2 System and Object Views 

In this paper, we focus on using scenarios for the restructuring of the formal system 
specification (system view). In our previous work [5, 13], we have addressed the 
specification of individual objects in interactive systems (object view). In a scenario- 
based approach, the specification of the behavior of a given object can be seen as the 
projection of the set of acquired scenarios on that object. When projecting scenarios 
onto an object, only messages entering and exiting the object are considered. In this 
way, the sequence order of messages in the scenarios is lost, and this can lead to 
capture undesirable behaviors. Furthermore, in an object view, all interface objects 
must be explicitly identified in the underlying set of scenarios. On the other hand, in a 
system view, there is no loss of precision, and the UI can be generated from the 
system specification without the need to explicitly identify UI objects. 

For the purpose of UI generation, a system view is appropriate when in all use 
cases and associated scenarios only one user interacts with the system. In the case of 
collaborative tasks (more than one user interacts with the use cases), however, an 
object view will be more suitable. 



5.3 Visual Formalisms for Modeling Interactive Systems 

Petri nets and Statecharts are among the most powerful visual formalisms used for 
specifying complex and interactive systems. Statecharts are an extension of state 
machines to include hierarchies by allowing state refinement, and concurrency by 
describing independent parts of a system. Concurrency in Statecharts is modeled via 
orthogonal states. An orthogonal state is a Cartesian product of two or more 
Statecharts (threads). Sending messages between threads of an orthogonal state is 
forbidden. Leaving a state of a thread of an orthogonal state leads to exit all threads of 
this orthogonal state. These restrictions do not apply to the Petri net formalism. Petri 
nets are known for their support of pure concurrency, all transitions having a 
sufficient number of tokens in their input places may concurrently be fired. Petri nets 
in their basic form do not support hierarchy, but the extension of Petri nets used in 
tools such as designCPN allow for hierarchies in the specification. 

Non-deterministic choices can more easily be modeled using Petri nets than based 
on Statecharts. When two or more transitions share the same input places, the system 
chooses randomly to fire one of these transitions. In Statecharts, non-deterministic 
choices cannot directly be modeled because messages are ordered and broadcasted to 
all concurrent threads. 

In many UIs, we have to model exclusive executions (modal windows). This can 
easily be done using the history states of Statecharts. When entering a modal window, 
an event must be broadcasted to all concurrent threads to enter their history states. 
After exiting the modal window, all concurrent threads must be re-entered in the 
states they were before. Modeling exclusive execution with Petri nets requires 
extensions of the formalism, as discussed for instance in [11]. 

Tokens that are specific to Petri nets can be used both in controlling and simulating 
system behavior, and in modeling data and resources of the system. If the place Begin 
of the Figure 6 contains only one token, the system can only execute one use case at a 
time. When the place contains n tokens, n concurrent executions of different use cases 
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are possible. It may even be possible to execute n scenarios of the same use case 
(multiple instances). 

Table 3 summarizes the differences between Petri nets and Statecharts based on the 
above discussion, indicating the strengths (+ for good and ++ for very good) and 
weaknesses (-) of the two formalisms. We believe that the considered criteria are all 
highly relevant to modern UIs. Depending on the type of UI at hand, one or the other 
formalism and modeling approach will be more appropriate. 



Criterion 


Petri net 


Statechart 


Concurrency 


-H- 


+ 


Non-determinism 


H- 


- 


History states 


- 


+ 


Multiple instances 


+ 


- 



Table 3: Differences between Petri nets and Statecharts from a Ul perspective. 



5.4 Validation of Approach 

The scenario integration and prototype generation activities have all been 
implemented in Java, resulting in about 4,000 commented lines of code. The Java 
code generated for the UI prototype is fully compatible with the interface builder of 
Visual Cafe. For obtaining CPNs in serialized form, as required by the scenario 
integration algorithm, the XML tools mentioned at the end of Section 3.2.2 are used. 

Our approach has been successfully applied to a number of small-sized examples. 
For further validation, we have started implementing the suite of examples used for 
validating SUIP [22], the implementation of our Statechart-based approach [5]. This 
suite includes a library system, a gas station simulator, and a filing system. The gas 
station simulator will be of particular interest since it involves two actors. “Extreme” 
examples, i.e., examples that lend themselves particularly well to the Petri net or the 
Statechart based approach, respectively, will also be examined, in order to further 
investigate the differences between the two approaches (cf. previous subsection and 
discussion of system versus object views). 



6 Conclusion and Future Work 

The work presented in this paper proposes a new approach to the generation of UI 
prototypes from scenarios. Scenarios are acquired as SequenceDs enriched with UI 
information. These SequenceDs are transformed into CPN specifications from which 
the UI prototype of the system is generated. Both static and dynamic aspects of the UI 
are derived from the CPN specifications. 

The most interesting features of our approach lie in the automation brought upon 
by the deployed algorithms, in the use of the scenario approach addressing not only 
sequential scenarios but also scenarios in the sense of the UML (which supports, for 
instance, concurrency in scenarios), and in the derivation of executable prototypes 
that are embedded in a UI builder environment for refinement. The obtained prototype 
can be used for scenario validation with end users and can be evolved towards the 
target application. 
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As future work, we plan to move in three directions. As mentioned above, we 
intend to further pursue our comparison of modeling approaches. This will also 
include the study of the interrelationship between modeling formalism and the UI 
paradigm being supported. Second, we wish to investigate backward engineering, that 
is, allowing the automatic modification of scenarios through the UI prototype. Finally, 
we plan to further study the verification aspect of scenario-based modeling [4], 
especially the completeness of the system specification obtained from partial 
descriptions in form of scenarios. 
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Abstract. Coloured Petri nets (CPNs) are used to specify and anal- 
yse the Class 2 Wireless Transaction Protocol (WTP). The protocol 
provides a reliable request /response service to the Session layer in the 
Wireless Application Protocol (WAP) architecture. When only a single 
transaction is considered occurrence graph and language analysis reveals 
3 inconsistencies between the protocol and service specihcation: (1) the 
initiator user can receive two TR-Invoke.cnf primitives; (2) turning User 
Acknowledgement on doesn’t always provide the User Acknowledgement 
service; and (3) a transaction can be aborted without the responder user 
being notihed. Based on the modelling and analysis, changes to WTP 
have been recommended to the WAP Forum®*’’*. 
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^ The specifications for each layer of the WAP architecture are available via 
www.wapforum.org. Throughout this paper we refer to WAP Version 1.1. However 
for WTP, Draft Version 11- June- 1999 is the basis of the analysis. This has been 
accepted as WTP Version 1.2. 
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color States = with WAIT.TIMEOUT | RESULT .WAIT | RESULT _RESP_WAIT | 
LISTEN I TIDOK.WAIT | INVOKE.RESP.WAIT; 
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color TransData = 
SendTID:Uintl6 
RcvTID:Uintl6 
HoldOn:Flag 
Uack:Flag 
AckSent:Flag 
RCR:RCR_c 
AEC:AEC.c 
Data:Counter 
Timer:Flag; 



record 

(* TID to send - 0..TID.MAX *) 

(* TID expected to receive - O..TID_MAX *) 
(* True if HoldOn ack received -0/1 *) 

(* True if User Ack requested -0/1 *) 

(* True if Ack(TIDok/TIDve) sent - 0/1 *) 
(* Retransmission Counter - 0..RCR-MAX *) 
(* Ack Expiration Counter - 0..AEC.MAX *) 
(* Data - int *) 

(* True if Timer on - 0/1 *) 
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4.6 Protocol Data Units 
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color InvokePDU-C = record 
CON:Flag *(* Continue - 0/1 *) 

GTRFlag *(* Group Trailer - 0/1 *) 

TTRFlag * (* Transmission Trailer -0/1 *) 

PSN:PSN.c * (* Packet Sequence Number - 0..255 *) 
RID:Flag * (* Retransmission Indicator - 0/1 *) 

TID:Uintl6 * (* Transaction Identifier - 0..TID.MAX *) 
Data:Counter * (* Data - int *) 

TIDnew:Flag * (* Indicates wrapping of TID - 0/1 *) 

UP: Flag; (* True if User Ack on - 0/1 *) 
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N.lnvokePDU invoke 
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1 Uack=#UP(invoke),Timer=1 , AckSent=0}) 
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[(TIDTest(#TID(invoka), i ^ LastTID 

LastTID)=false ; — 
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/ / 

LastTID ^ / j 



1 CON 

n n n 

In n 

n 1 

1 n 



n n n 
n n 1 

n n n n 

1 

1 1 



n n X 

1 

1 11 
n 11 



color AckPDU _c = record 



TveTok:Flag; {* TID verification/TID Ok - 0/1 *) 
color AbortPDU_c = record 
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AbortType:AbortType_c * (* Provider/User *) 

AbortReason:AbortReason_c; (* UNKNOWN, PROTOERR, . . . *) 



1 n 1 

color PDU = union lnvokePDU:lnvokePDU_c + ResultPDU:ResultPDU_c + 
AckPDU:AckPDU_c + AbortPDU:AbortPDU.c; 
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Abstract. This paper discusses liveness verification of discrete-event 
systems modeled by n-safe ordinary Petri nets. A Petri net is live, if 
it is possible to fire any transition from any reachable marking. The 
verification method we propose is based on a partial order method called 
network unfolding. Network unfolding maps the original Petri net to an 
acyclic oceurrence net. A finite prefix of the occurrence net is defined to 
give a compact representation of the original net’s reachability graph. A 
set of transition cyeles is identified in the hnite prehx. These cycles are 
then used to establish necessary and sufficient conditions that determine 
the original net’s liveness. 
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3.6 About the Sizes of the Nets 
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4 Analysis of the DSSl Model 
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4.2 Prioritised Transition Instances for Fast Debugging 
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4.3 Supporting the Stubborn Set Method 
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4.6 About the Positively Verified Properties 
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5 Future Work 
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Abstract. We present two new question-guided stubborn set methods 
for state properties. The first method makes it possible to determine 
whether a marking is reachable in which a given state property holds. 
It generalises the results on stubborn sets for state properties recently 
suggested by Schmidt in the sense that his method can be seen as an im- 
plementation of our more general method. We propose also alternative, 
more powerful implementations that have the potential of leading to bet- 
ter reduction results. This potential is demonstrated on some practical 
case studies. As an extension of the first method, we present a second 
method which makes it possible to determine if from all reachable mark- 
ings it is possible to reach a marking where a given state property holds. 
The novelty of this method is that it does not rely on ensuring that no 
transition is ignored in the reduced state space. Again, the benefit is in 
the potential for better reduction results. 
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Definition 2. The Full State Space of a PT-net is a directed graph SG 
V,E), where V Mi) and E Mi,t,M 2 ) V T V Mit)M 2 . □ 
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Proposition 1. The conditions D1 and D2 hold if the following hold for every 
t Ts M): 

1. If t\ T M ti), then t 2 M) M ^ 2 )- 

2. If M t), then p t M p) <W p^t) p Ts M). 

3. IfMt), then t) Ts M). □ 
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Definition 3. Let M be a marking and cj) a state property eonstructed from the 
atomic state propositions <Pi i I ■ The set of the indices of the atomic 
state propositions which are satisfied in M is denoted ori 0 M). The set of the 
indices of the atomic state propositions which are not satisfied in M is denoted 
off^ M). Formally: 

ori 0 M) i I Pi M) and ofF^ M) i I pi M) □ 
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Proposition 2. Let M and M be markings and (f> a state property constructed 
from the atomic state propositions Pi i I ■ Then the following holds: 
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5 Up/Down and Satisfiability Sets 
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Definition 4. Let p be a state property eonstrueted from the atomie state propo- 
sitions Pi i I and let Mq Mi). A set of transitions T T has the up 
set property in Mq with respect to p iff the following holds for all occurrence 
sequenees Mq tit 2 tn)Mn starting in Mq: 

p Mo) p M„) j j n tj T 

A set of transitions T T has the down set property with respect to p iff the 
following holds for all markings M,M M/), all t T, and all i I: 

M t) M Pi M) Pi M) t T 

A set of indiees J I has the satisfiability set property in Mq with respect 
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6 Preserving Reachability of State Properties 
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Definition 5. Let M be a marking and 4> a state property eonstructed from the 
atomic state propositions ipi i I . A set M) T is Reachability of a 
State Property Preserving (RSPP) stubborn in M, iff the following hold: 

D1 If ti, ... An / 7s AI), t Ts M), M t\t 2 tn)Mn, and Mnt)M^, then 
there is M such that M f)M and M t\t 2 tn)M.^. 

SPPl If <j) M) and t M f) t down^ t % M) then up^ M) % M). 
SPP2 For every i sat^ M) there is an occurrence sequence Mq t\)M\ ^ 2 ) 
tn)Mn such that M Mq, tj is a key transition ofTs Mj-i) for j n, 
and (f Mn) up^. M„) ”^qTsMj). □ 




Lemma 1. Let (f be a state property, SG V,E) the full state space, and 
SSG Vssgj Essg) SS state space constructed using RSPP-stubborn sets. 
Let Mo VssG be a marking such that 4> Mq) and for which there exists an 
occurrence sequence Mq t\)Mi t 2 ) tn)Mn such that (f Mn) holds. Then there 
is a marking Mq Mo)ssg such that the following holds. 

1. There are transitions ^ 2 , ■ • • > o.nd markings M 2 , . . . , such that 

Mq ^ 2 ) tm)^m ^"^bt (f) M„) holds. 

2. The occurrence sequence in item 1 leading to a marking where f holds is no 
longer than the original occurrence sequence, i.e., m n. 
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3. The length of the occurrence sequenee in item 1 has decreased, i.e., m < n, 
or the set of the atomic state propositions of f which are satisfied has grown, 
i.e., ori 0 Mo) on^ Mq). □ 
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Theorem 1. Let (j) be a state property, SG V,E) be the full state spaee, 
SSG VssG, Essg) an SS state spaee construeted using RSPP-stubborn sets, 
and let Mq Vssg- Then: 
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Definition 6. Let M be a marking and p a state property. A set Ts M) T is 

Home State Property Preserving (HSPP) Stubborn in M, iff Ts M) is 

RSPP stubborn in M and the following hold: 
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Theorem 2. Let (f> be a state property, SG V, E) be the full state space, 
SSG VssG, Essg) an SS state space constructed using HSPP stubborn sets, 
and let Mq Vssg- Then: 
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8 Implementation 
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8.1 Implementation of Up/Down and Satisfiability Sets 



V 



V 

Definition 7. Let M be a marking and 4 o- state property. The up set up^ M) 
in M is defined as follows. If 4 holds in M we define up^ M) . If 4 does not 
hold in M we define up^ M) aeeording to the following cases: 

Case 4 M p) fc ; up^ Af) consists of the transitions which can remove to- 
kens from p and which add at most k tokens to p: 

up^ Af) t T Wp,t)>Wt,p) W t,p) k 

Case 4 M p) k : If p contains too few tokens then up^ Af) consists of the 
transitions which can add tokens and do not require additional tokens to be 
present onp, and ifp contains too many tokens then up^ M) consists of the 

transitions which can remove tokens from p and which add at most k tokens: 

( t T Wp,t)<Wt,p) W p,t) M p) tfMp)<k 

^ \ t T W p,t) >W t,p) W t,p) k ifMp)>k 

Case 4 M p) fc ; up^ Af) consists of the transitions which can add tokens 
and which do not require additional tokens to be present on p: 



up 0 M) t T W pfi) <W t,p) W p,t) M p) 
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Case (j) M p) k : up^ M) consists of the transitions which can change the 
marking of p and which do not require additional tokens to be present on p: 

up^ Af) t T W p,t) W t,p) W p,t) k 

Case f M pi) > M P 2 ) or cf M pi) M P 2 ) : 

up^ Af) t T W t,pi) - W pi,t) > W t,p2) - W p2,t) 

Case (f) M pi) M P 2 ) : up^ M) 

j t T W t,pi) - W pi,t) > W t,p2) - W p2,t) if M pi) < M P 2 ) 

[ t T W t,pi) - W pi,t) < W t,p2) - W p2,t) if M pi) > M P 2 ) 

Case (j) M pi) M P 2 ) : 

up^ Af) t T W t,pi) ~ W pi,t) W t,p2) -W p2,t) 

Case f 4>i (j )2 • up^ M) is the up set of one of the cfiS which does not hold 

in M: 

( 01 M) up^ M) up^^ M) ( 02 M) up^ M) up^^ Af) 
Case 0 01 02 ; up^ Af) up^^ Af) up^^ Af) □ 

Definition 8. Let f be a state property. The down set down^ is defined as fol- 
lows: 

Case 0 M p) k : down^ t T W p,t) < W t,p) W p,t) k 

Case 0 M p) k : down^ t T W p,t) W t,p) W p,t) k 

Case 0 M p) k : down^ t T W p,t) W t,p) W t,p) k 

Case 0 M p) k : down^ t T W p,t) > W t,p) W t,p) < k 

Case 0 Af pi) > M P 2 ) or 0 Af pi) Af P 2 ) : 

dowri0 t T W pi,t) - W t,pi) > W P2,t) - W t,p2) 

Case 0 M pi) M P 2 ) or cj) M p\) M P 2 ) : 

down^ t T W t,pi) -W pi,t) W t,p 2 ) -W p 2 ,t) 

Case 0 01 02 or 0 0i 02 ; down^ down^^ down^^ □ 

Definition 9. Let M be a marking and 0 a state property constructed from the 
atomic state propositions Pi i I ■ The satisfiability set sat<^ Af) in Af is 
defined as follows. If 0 Af) holds then sat^ Af) . Otherwise it is defined as 
follows. 

Case 0 ipi : sat^ Af) i 

Case 0 01 02 ; sat^ Af) sat^^ Af) sat^^ Af) 

Case 0 01 02 ; sat^ Af) is the satisfiability set of one of the fiS which does 

not hold in Af; 

01 Af) sat0 Af) sat0j Af)) 02 Af) sat^ Af) sat^2 ^)) 

□ 
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V V 

Proposition 3. Let M be a marking and assume that up^ M) T, down^ 

T, and sat^ M) I are constructed aeeording to Def. 7, Def. 8, and Def. 9, 
respeetively. Then the following hold: 

1. up^ M) has the up set property in M with respect to (j). 

2. dowri 0 has the down set property with respeet to cf). 

3. sat^ M) has the satisfi, ability set property in M with respect to f. □ 

8.2 Implementation of RSPP and HSPP Stubborn 
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9 Applications 
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Abstract. This paper presents two related algebras which can be used 
to specify and analyse concurrent systems with explicit timing informa- 
tion. The first algebra is based on process expressions, called t-expressions, 
and a system of SOS rules providing their operational semantics. The 
second algebra is based on a class of time Petri nets, called ct-boxes, 
and their transition firing rule. The two algebras arc related through a 
mapping which, for a t-expression, returns a corresponding ct-box with 
behaviourally equivalent transition system. The resulting model, called 
the Time Petri Box Calculus (tPBC), extends the existing approach of 
the Petri Box Calculus (PBC). 

Keywords: Net-based algebraic calculi; time Petri nets; relationships 
between net theory and other approaches; process algebras; box algebra; 
SOS semantics. 
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5.2 An Example Motivating Illegal Actions 
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5.3 Time Divergence 
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Abstract: An earlier paper considered appropriate properties for abstract net 
components (or nodes) in the Coloured Petri Net formalism. This paper augments 
that earlier work in three main areas — it proposes general canonical forms for 
such node refinements, it identifies two other forms of refinement which will 
be used in concert with node refinement, and it considers the compositionality 
of these refinements. All of them maintain behavioural compatibility between 
refined and abstract nets, which is captured by the notion of a system morphism. 

Keywords: Theory of High-Level Petri Nets, Abstraction, Refinement 

1 Introduction 

The abstraction (and refinement) of Petri Nets is not new and dates back to Carl 
Adam Petri himself (e.g. [16]). One approach has been to use abstraction to focus on 
the stractural relationship between the abstract and refined nets in terms of net morphisms 
[1, 3, 4, 6, 17]. In the case of Free Choice nets, the structural compatibility has 
behavioural implications, namely the maintenance of traps and syphons. In the context 
of High-Level Petri Nets (such as CPNs [9] and Predicate-Transition Nets [8]), the 
approach adopted has typically been to use abstraction to aid the process of developing 
a Petri Net model, with the abstraction subsequently being discarded when the model 
is simulated or analysed [17]. Thus CPNs, as formalised by Jensen [9] and implemented 
in the Design/CPN tool [10], provide substitution transitions together with place 
fusion for building Hierarchical Coloured Petri Nets (HCPNs). While substitution 
transitions maintain structural compatibility, there is no concept of abstract behaviour, 
since the semantics of the construct are defined in terms of the underlying CPN — in 
fact, the inscriptions on the arcs incident on substitution transitions are simply ignored. 

By contrast, we prefer a view of abstraction in CPNs which respects behavioural 
constraints (as in [15, 18]), so that the abstraction can contribute to the understanding 
of the net and also to its analysis. In discussing behaviour-respecting morphisms for 
Petri Nets, Winskel [18] raised the question of the appropriate form of morphisms for 
CPNs. This paper advocates three forms which respect the colour structures — type, 
subnet mdnode refinement. Each of these maintains behavioural compatibility between 
refined and abstract nets. For type refinement, this means that the refined type values 
can be projected onto the abstract type values; for subnet refinement (or extension), 
the refined behaviour can be restricted to yield the corresponding abstract behaviour; 
for node refinement, a subnet which is abstracted by a place should maintain the 
notion of an abstract marking, and a subnet which is abstracted by a transition should 
have the notion of abstract firing. 

An earlier paper focussed on the notion of abstraction for Coloured Petri Nets 
(CPNs) [12], in the sense of mapping place (or transition) bordered subnets into a 

M. Nielsen, D. Simpson (Eds.): ICATPN 2000, LNCS 1825, pp. 323-342, 2000. 
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single place (or transition). That paper sought to be as general as possible, while 
maintaining behavioural compatibility between the abstract and refined nets. Thus, if 
a place-bordered subnet were to be abstracted to a place, then there needed to be some 
notion of an abstract marking for the subnet, which would only be modified by 
interaction of the subnet with its environment (and not by internal actions of the 
subnet). Similarly, if a transition-bordered subnet were to be abstracted to a transition, 
then there ought to be some notion of abstract firing for the subnet, where a firing 
sequence of the subnet included the firing of border transitions with matching firing 
modes. 

The generality of the above proposals led to difficulties in proving compositionality 
results [13] — it was necessary to constrain the previous definitions in order to prove 
that the composition of two node refinements was also a node refinement. Thus, a 
place refinement was required to be resettable, i.e. a return to the same abstract 
marking could be matched by a return to the same refined marking (of the subnet). 
Similarly, a transition refinement should be able to return to the initial marking (of 
the subnet) after each abstract firing. 

The above raised a dilemma as to whether the more general or the more restricted 
definitions were appropriate. This paper resolves the dilemma by asserting paradoxically 
that both are appropriate. This is achieved by recognising that three forms of refinement 
— type, subnet, and node refinement — are normally used in concert. This means 
that we can propose canonical bases for node refinements which satisfy the more 
constrained definitions, but in conjunction with the other forms of refinement we can 
achieve the generality of the original formulation. 

The current paper is intended to be self-contained, but some aspects from the 
earlier paper are reiterated in abbreviated form. It is therefore desirable that the 
reader has access to the earlier paper. An informal introduction together with a brief 
motivating example is presented in §2. The definitions of CPNs and their refinement 
are found in §3. In §4, we prove the generality of the canonical node refinements. 
Finally, further comments on the use of these refinements and the conclusions are 
given in §5. 

2 Example 

This section presents a simple motivating example for the refinement proposals. The 
example is that of a library loans system and is adapted from an example found in [5]. 

A book in the library will have some associated information, such as the author(s), 
title, publisher, etc. In a CPN, each book can be represented by a token, and this 
information can be captured in a token type called Book. Each book will be in one of 
several states such as available, on loan, and overdue. These states can be represented 
by places in the Petri Net, with the presence of a book token in a place indicating that 
the book is currently in that state. Thus a CPN for the library books could be as 
shown in fig 2.1. 

In this case, we have not shown all the details of the net. Thus, the colour for the 
token type is not indicated in full, nor is the relation between the transition firing 
modes and the variables inscribing the ares. Clearly, however, the firing mode for 
transition Borrow will include sufficient information to identify the book b and the 



user u. 
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Available 




expires 



Colours: 

C(Available) = Book 
C(On loan) = Book x User 
C(Overdue) = Book x User 

C(Borrow) = Book x User 
C(Return) = Book x User 
C(Loan expires) = Book x User 
C(Pay fine) = Book x User 



Fig 2.1 : CPN Books — the lifecycle of library books 
A borrower or user of the library will have some associated information, such as 
their name, contact details, classification of membership, etc. Again, each user can be 
represented by a token type called User, and the various states of the user can be 
indicated by places. In this case, it is convenient to have only one place to indicate 
the state of the user with transitions indicating the possible actions such as borrowing 
or returning a book and paying a fine. Thus, a CPN for the library users could be as 
shown in fig 2.2. 

Idle 



1 ) 



Borrow Return Pay 

fine 




Colours: 

C(Idle) = User X Limit 

C(Borrow) = User x Limit 
C(Return) = User x Limit 
C(Pay fine) = User x Limit 



Fig 2.2: CPN Users — the lifecycle of library users 

The two CPNs above could be combined into a composite system by fusing the 
similarly-named transitions in the two nets. Clearly, many more details could be 
specifed, but the example above will be adequate for our purposes of illustrating the 
forms of refinement which we wish to support. 

The first and simplest form of refinement, which we call type refinement, is to 
incorporate additional information in the net in the tokens and firing modes. However, 
each value of the refined type can be projected onto a value of the abstract type. For 
example, it may be desirable to introduce a further classification of books to vary the 
loan period. As far as the subnet for the books is concerned, this will simply involve 
extending the token type for the places, and extending the corresponding type for the 
various transition firing modes. The projection from refined to abstract type values is 
obvious. The above changes will affect the firing of the Loan expires transition, 
especially in the composite system. It is certainly the case, however, that if there is a 
behaviour of the refined system, then there would be a corresponding behaviour of 
the abstract system. This is the generic behavioural constraint which we require for 
acceptable refinements. 

The second form of refinement, which we call subnet refinement, is to augment a 
subnet with additional places, transitions and arcs. (We also classify as subnet refinement 
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the extension of a token type or mode type to include extra values which are independent 
of previous processing. Here, these values of the extended type are not projected onto 
values of the abstract type but are ignored in the abstraction.) For example, it may be 
appropriate to cater for the reservation of books. In this case, we would add a place 
to hold the reservation status for each book, and the transition Borrow would only fire 
if there were a compatible reservation status on the book for the given user. (We use 
the value (b,-)lo indicate that no-one has a reservation for book b, and the value (b,u) 
to indicate that user u has a reservation on book b.) The modified part of the Books 
subnet is given in fig 2.3. Again we satisfy the constraint that if there is a refined 
behaviour, then there is a corresponding abstract behaviour (which ignores reservations), 
but not necessarily vice versa. 



Available 



Reservation 




Fig 2.3 : Subnet indicating the processing of book reservations 
The third form of refinement, which we call node refinement, is to replace a place 
(or transition) by a place (or transition) bordered subnet. In this paper, we advocate 
the use of canonical forms of such refinements. The basis for a canonical place 
refinement is given in fig 2.4. 




Fig 2.4 : Canonical place refinement 

It has separate input and output border places — in this case there are two of each. 
Each input (output) border place may have more than one incident input (output) arc 
from (to) the environment. Each input border place has an associated accept transition 
which will transfer tokens from the border place to an internal place, here called buf. 
Similarly, each output border place has an associated offer transition which will 
transfer tokens from place buf to the output border place. All the border places and 
the place buf have the same token type, which is also the mode type shared by the 
accept and offer transitions. None of these transitions constrains the flow of tokens, 
e.g. by using a guard. Clearly, the abstract marking of such a canonical place refinement 
is given by the sum of tokens in the border places and the internal place buf 






Composing Abstractions of Coloured Petri Nets 



327 



An arbitrary place refinement will be of the form of the basis of a canonical 
refinement (as above) augmented by subnet refinement which extends the accept and 
oj5^er transitions. It is a contribution of this paper to observe how the combination of 
different refinements extends the generality of the basic constructs. 

In our running example, such an incremental change might be the identification of 
the details of processing a book once it has been returned. In other words, the place 
Available might be replaced by a subnet which takes into account the delay in reshelving 
a book, the possibility of repairs, etc. The node refinement for this place is shown in 
fig 2.5. 

Under 




Fig 2.5 : Subnet indicating the processing of returned books 

Note that this has one input border place called Returned and one output border 
place called On shelves. The accept and p/fer transitions, together with the internal 
place buf constitute the basis of the canonical place refinement. Further activity is 
achieved by the subnet refinement which extends transitions accept and ojfer. This 
subnet retains the identity of the books, and hence it also determines the abstract 
marking of the subnet. Thus, the place buf is redundant, since its marking is equivalent 
to the sum of markings of places For checking. Under repair. Irredeemable, For 
shelving. (It is commonly the case that the place buf is redundant in such place 
refinements.) Further, this abstract marking is not modified by the various actions 
internal to the subnet. Clearly, a refined behaviour of the net will have a corresponding 
abstract behaviour, though the reverse will not necessarily be the case. For example, 
it may be that a book is so damaged that its return to the shelves would be indefinitely 
delayed, in which case further borrowing of that book would be disallowed. 

For transition refinement, the canonical basis is given in fig 2.6. It has separate 
input and output border transitions — in this case there are two of each. Each input 
(output) border transition may have more than one incident input (output) arc from 
(to) the environment. Each input border transition has an associated place reed, 
which receives a token equal to the abstract firing mode, when the input border 
transition has fired with that mode. The transition switch can fire when all the input 
border transitions have fired (with the matching abstract firing mode), thereby 
completing the input phase. It removes the matching tokens from the reed places and 
puts corresponding tokens into all the send places. There is one such send place 
associated with each output border transition. Once such a token is available the 
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output border transition can fire (with the same abstract firing mode). Initially, all the 
reed and send places are empty. 




Fig 2.6 : Canonical transition refinement 

The abstract firing of the transition refinement commences with the firing of any of 
the input border transitions and is completed when all the matching output border 
transitions have fired and the reed and send places are again empty. Only such 
completed firing sequences will have corresponding abstract firing sequences. The 
canonical construction ensures that input border transitions fire before the corresponding 
output border transitions, ensuring the enabling of the corresponding abstract transition. 

An arbitrary transition refinement will be of the form of a canonical refinement (as 
above) together with a subnet refinement which augments the border transitions. In 
our running example, we may wish to refine the Borrow transition to reflect the 
component activities of checking the student identity and processing the book. This 
might be achieved in the subnet of fig 2.7 . 



validate 

user 




process 

loan 

Fig 2.7 : Refined Borrow transition 

Note that the transition validate user may fail to fire (because the user is not 
acceptable). In this case, the abstract firing of this subnet will never complete, and 
hence such an incomplete refined activity will have no corresponding abstract activity. 

Even though the above three forms of refinement can be clearly identified and 
analysed in isolation, they will commonly be used in concert in practical applications. 

3 Formal Definitions 

In this section we present the formal definitions of CPNs in §3.1, and the definition of 
CPN morphisms in §3.2. We identify the notion of system morphisms to capture the 
notion of refinement with behavioural compatibility, in contrast to the more traditional 
net morphisms which (only) specify structural constraints. The definition of our 
proposed refinements is given in §3.3. The definitions and their associated explanatory 
notes should be read together. The explanatory notes in §3.1 are minimal, since we 
assume that the reader has some familiarity with the definition of CPNs (e.g. [9]). 
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3.1 Formal definition of Coloured Petri Nets 

We define Coloured Petri Nets in the context of a universe of non-empty colour sets 
S with an associated partial order <: c Z x Z which is derived from type compatibility 
in the theory of object-oriented languages [2], X <: Y means that the values of X can 
be used in contexts expecting values of Y, and typically it means that X has extra data 
components over Y. In this case, we assume the existence of a (polymorhpic) projection 
function Hy from the values of X to those of Y (which do not appear in any proper 
subtype). For our purposes, we only make use of the fact that values of X are also 
values of Y. 

Given a universe of colour sets Z, we define OZ = {X— >Y|X, Y eZ}, the 
functions over Z, MX = { X ^ N } the multisets over X (where N is the set of 
non-negative integers), and oX = { XjX 2 . . . x^^ | X; e X } the sequences over X. Where 
appropriate, multisets are elements of Z and thus mappings between multisets will 
occur in <I>Z as required. Sum, difference and inequality are defined on multisets in 
the usual way, and a common notation for multisets [9] is adopted, e.g. m = 3'b-i-4'c 
is a multiset with m(b) = 3 and m(c) = 4, the only elements of m. We take the liberty 
of abbreviating I'x as x. We usually name sequences with an asterisk suffix. 
Definition 3.1: A Coloured Petri Net is a tuple N = (P, T, A, C, E, M, Y, M^) 
where: 

(a) P = set of places 

(b) T = set of transitions, with P n T = 0 

(c) A = set of arcs, with AcPxTuTxP 

(d) C = colours of places and (modes) of transitions, i.e. C: P u T ^ Z 

(e) E = arc inscriptions with E: A — > <1>Z where E(p,t), E(t,p): C(t) ^ pC(p) 

(f) M = set of markings, i.e. M = p{(p,c) | p e P, c e C(p) } 

(g) Y = set of steps, i.e. Y = p{(t,c) 1 1 s T, c e C(t) } 

(h) M(, = initial marking, i.e. g M 

Note: The above definition is, to all intents and purposes, equivalent to the common 
definition [9]. Note however, that there is at most one arc in each direction for any 
(place, transition) pair, and that we refer to the firing modes of transitions as colours 
and not as bindings. Thus, the effect of an arc is given by the arc inscription in 
conjunction with a particular mode, rather than the evaluation of an expression in a 
given binding. There is no guard function defined on transitions, but the same effect 
is achieved by limiting the associated set of firing modes. As usual, the markings of N 
are the multisets of (place, colour) pairs, while the steps are the multisets of (transition, 
colour) pairs. While these are derivative quantities, they are included in the tuple so 
that later it will be clear that morphisms map markings and steps to markings and 
steps respectively. 

Definition 3.2: Eor CPN N, xg PuT, XcPuTwe define: 

(a) the inputs of x, »x = { y g P u T | (y,x) g A } 

(b) the outputs of x, x* = { y g P u T | (x,y) g A } 

(c) the border of X, hd(X) = {xeX|3yGPuT\X:yG*xux»} 

(d) the environment of X, env(X) = {yGPuT\X|3xGX:ye*xux»} 

Thus, the border of a set of nodes X, are those nodes connected to other nodes not 

in X, and those other nodes constitute the environment of X. 
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Definition 3.3: For CPN N, the incremental effects E , E^; Y — > M of the 

occurrence of a step Y are given by: 

(a) E“(Y) =2, S {p}xE(p,t)(m) 

(t,m)eY (p,t)eA 

(b) E+(Y) = S X {p)xE(t,p)(m) 

(t,m)eY (t,p)eA 

Definition 3.4: Eor CPN N, a step Y g Y is enabled in marking M e M , written 
M [Y>, if M > E^(Y). If step Y g Y of CPN N is enabled in marking Mj g M, it 
may fire leading to marking M2 £ M, written Mj [Y> M2, with 
M2 = Mj - E^(Y) + E'^(Y). A step seqnence Y* = YiY2...Y„ g oY of CPN N is 
enabled in marking Mj g M and may occur, leading to marking M2 g M, written 
Mj [Y*> M2 if there exists intermediate markings M2', M3', ... M^^' g M such that 
Mj [Yj> M2', M;' [Y;> Mj^j ’ for i G 2, . . . n-1, and M^ [Y^> M2 
Definition 3.5: Eor CPN N, step Y g Y is realisable by Y* g oY in marking 
Mj G M leading to marking M2 g M if Mj [Y*> M2 and ^ y = Y . 

yeY* 

Note: If a step Y is enabled in marking M, then it is realisable by Y. 

Definition 3.6: Eor CPN N, the set of reachable markings Mj^ c M is given by 
Mj^ = { M G M I 3 Y* G oY : Mq [Y*> M } . The set of enabled step sequences 
Y*g c aY is given by Y*g = { Y* g aY | 3 M g M: Mq [Y*> M } . 

3.2 Formal definition of CPN morphisms 

This section defines morphisms between CPNs and distinguishes between net 
morphisms (which respect structnre) and system morphisms (which respect behaviour). 
We allow morphisms to ignore components, but where components do have images 
they will be consistent, i.e. nodes will map to nodes and arcs to arcs. Further, given 
our interest in abstraction, we only consider morphisms which are surjective with 
respect to P', T' and A', i.e. refinements may add or modify components bnt will not 
delete them. Consequently, we can define the preimage of every node. (The fact 
that (|) is surjective means that (|)^' is defined on P' and T'.) 

Definition 3.7: Given a morphism (|): N — > N' and x' g P' u T', we define its 
preimage by N^, = c|)^'(x') and write N^^, = (P^, ^T,.,A,„C„E,„M„Y,„Mq,,). 
Definition 3.8: A net morphism c|): N ^ N' is a mapping from N to N' which is 
structure-respecting, namely: 

(a) (|) is surjective with respect to P', T', A' 

(b) V (x,y) gAoPxT ^ c|)(x) = c^(y) v ((])(x),c|)(y)) g A' n (P' x T') 

(c) V (x,y) gAoTxP ^ c^(x) = (^(y) v ((])(x),(^ (y)) 6 A' n (T' x P') 

This is the common definition of net morphism (albeit with various additional 
constraints) which is primarily concerned with respecting the adjacency properties of 
the net [1, 3, 4, 6, 16, 17]. It does not constrain behaviour (except indirectly) — in 
fact, sets of markings and steps are not normally included. It also does not encompass 
restriction on places and transitions, i.e. where selected places and transitions (and 
their associated arcs) are ignored by the morphism. The compositionality of net 
morphisms is captnred by the following proposition. 

Proposition 3.9: Given two net morphisms (jtp N — > N' and <^ 2 - N' — > N" their 
composition c() = (|)2 o (|)j : N — > N" is a net morphism. 
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Proof: 

The composition of two surjective morphisms is surjective. 

Consider (x,y) s A n P x T and write x' = (|) j(x), x" = (|) 2 (x'), etc. 

By the properties of c|)j, x' = y' (in which case x" = y") or (x', y') g A' n P' x T' 

By the properties of c|) 2 , x" = y" or (x", y") e A" n P" x T" 

Thus (x,y) G A n P X T ^ (|)(x) = t|)(y) v ((|)(x),(|)(y)) g A" n P"x T" 

A similar result follows for (x,y) g A n T x P. 0 

In order to define the behaviour-respecting properties of a system morphism, it is 
desirable to consider complete steps, since the firing of multiple transitions in the 
refinement may correspond to the firing of one transition in the abstraction. 

Definition 3.10: Given a morphism (|): N — > N', a step Y of N is complete if 
Vt'G T': VtG bd(Nj,): c|)({t} x Y(t)) = {t'} x c|)(Y)(t’). 

Thus, a step is complete if all the border transitions occur with matching modes 
(which also match the mode occurrence of the corresponding abstract transition). 
Definition 3.11: A system morphism (|): N ^ N' is a mapping from N to N' 
which is behaviour-respecting, namely: 

(a) (]) is surjective with respect to P', T', A' 

(b) (]) is linear and total over both M and Y. 

(c) V M G Mr! V Y G Y: 

Y is complete and realisable as Yj Y 2 . . . Y^^ at marking M ^ 

(|)(Y) is realisable as (])(Yj)(t)(Y 2 )...(t)(Yjj) at marking (|)(M) 

(d) V M G Mr! V Y g Y: Y is complete ^ 

^(M + E^(Y) - E-(Y)) = (^(M) + t^(E^)((^(Y)) - c^(E-)((^(Y)) 

Note: 

(c) If the refined step is complete, then its realisation can be used to derive the 
realisation of the corresponding abstract step, by projecting or restricting each 
component step. 

(d) This modified rule for the effect of a refined step (cf. [18]) is used since we 
cannot consider the component steps (of its realisation) in isolation. Thus, 
part (c) guarantees the enabling of the abstract sequence, while part (d) captures 
its overall effect 

The above definition clarifies what we mean by behaviour-respecting, also called 
behavioural compatibility. This kind of morphism is called a system morphism to 
emphasise that it is concerned with the behaviour of the net (following the common 
Petri Net distinction of a net concerning the structure, and a system including behaviour). 
This definition is akin to that of Winskel [18], where a Petri Net is a two-sorted 
algebra (the sorts being the markings and the steps) and the morphism is a 
homomorphism which respects the input and output operations (ourE^ and E"*”). 

This definition captures the requirement that we identified earlier, namely that 
refinement constrains the behaviour of the system since refined behaviours have a 
corresponding abstract behaviour. 

Proposition 3,12: Given two system morphisms (])j: N ^ N' and (|) 2 ; N' — > N" 
their composition (|) = (|)2 o c|)j: N ^ N" is a system morphism. 

Proof: 

The composition of surjective morphisms is surjective. 

The composition of total, linear mappings is total and linear. 
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Now, consider an arbitrary marking MgM, c|)j(M)=M'eM', c|)2(M')=M"£M". 
Consider an arbitrary step Ye Y, (|)[(Y)=Y'e Y', (|)2(Y')=Y"e Y". 

Suppose Y and Y' are complete with respect to c|)[ and (|)2 respectively. 

It follows that Y is complete with respect to c|) . 

Then if Y is realisable as YjY 2 ...Yj^, then Y' is realisable as (|)j(Yj)(t)j(Y 2 )...(|)[(Yjj). 
Hence Y" is realisable as c|) 2 ((|)i(Yj)) (|) 2 ((])i(Y 2 ))...(|) 2 ((|)i(Yj^)). 

Also: (1)2 ((|)i(M + E^(Y) - E^(Y))) 

= (|) 2 ((|)i(M) + (|)j(E'")((|)j(Y)) - (|)i(E^)((|)i(Y))) by properties of (|)1 
= (])(M) + c|)(E’^)(c|)(Y)) - c|)(E^)(c|)(Y)) by properties of (|)2 0 

The above proposition tells us that we can combine the different forms of refinement 
(considered in the subsequent section) and we still have a system morphism. 

3.3 CPN Refinements 

We now consider each of the proposed kinds of refinement. For each one, we give a 
formal definition, show that it satisfies our generic constraint, and then indicate how 
it relates to the underlying Place Transition Net (PTN). In each case, the terminology 
reflects the way the incremental change is used, i.e. from abstract to refined, but the 
morphism is always expressed as a mapping from refined to abstract. 

3.3.1 Type refinement 

The first, and perhaps simplest, form of refinement is to retain the structure of the net 
without modification but to replace some (or all) of the token and mode types by 
subtypes. Given our formulation of CPNs, where the arc inscriptions are functions 
(from modes to token multisets), it may not even be necessary to change the arc 
inscriptions, provided that they are given by polymorphic functions. For example, if 
an arc inscription is the identity function, i.e. the mode determines the token to be 
removed or added, then a simple change to both mode and token type would give a 
refined behaviour. If the arc inscription functions are not given by polymorphic 
functions, then they will need to be replaced, but the new versions must be consistent 
with the old. The distinctive thing about type refinement is that there is a projection 
function from subtype to supertype so that every refined state or action has a 
corresponding abstract state or action. 

Definition 3.13: A morphism c|) : N ^ N' captures a type refinement if: 

(a) (|) is an identity function on P, T, A, i.e. Vx e P: (|)(p) = p, etc. 

(b) Vx E P u T: C(x) <: (j)(C)(x) 

(c) VxE P uT: VcE C(x): (|)(r(x,c)) =E (x, n^(o(x)(c)) 

(d) V(p,t) E A: V(t,m) E Y: 

(|)(E^(r(t,m)))(p) = n^(Q(pj(E(p,t)(m)) = c|)(E)(p,t)(n^c)(t)(ii^)) 

V(t,p) E A: V(t,m) e Y: 

c|)(E''(r(t,m)))(p) = n^c)(p)(E(t,p)(m)) = t|)(E)(t,p)(r4(Q(j)(m)) 

Note: 

(a) There is no change to the structure of the net — to places, transitions and 
arcs. 

(b) The colours associated with the places and transitions are consistently subtyped. 

(c) Given the consistent structure, the morphism is defined for all markings and 
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steps using the appropriate projection functions (see §3.1). 

(d) The arc inscriptions are consistent, i.e. the projected effect of a mode or step 
is the same as the effect of the projected mode or step. 

Proposition 3.14: A morphism (|): N ^ N' which captures a type refinement is 
a system morphism (in the sense of def 3. 1 1 ). 

Proof: 

c|) is surjective on P T', A', and is linear and total on M, Y. 

Given M e Mj^ and an enabled step Y e Y, i.e. M [Y> 

Y is necessarily complete since N^. is always a single transition. 

From def 3.13(c), M' = c()(M) e M' and Y' = c|)(Y) e Y' are both defined 
The enabling in N means M > E^(Y) and hence c|)(M) > (|)(EYY)) 

Def 3.13(c, d) implies that c|)(M) > (|)(E^ )(t>(Y) and hence Y' is enabled, i.e. M' [Y'> 
Hence, (|)(M - E^Y) + E'^(Y)) = M’ - (|)(EY(Y') + ct)(E'")(Y') 

Hence, (|)(M + E’"(Y) - E^(Y)) = M’ + (|)(E^)(Y') - c|)(E^)(Y') 0 

This result is actually stronger than that required by def 3.11 in that every enabled 
refined step is complete and has a corresponding enabled abstract step. In other 
words, given the realisation of a refined step, we can determine a realisation of the 
corresponding abstract step. 

In §2 we gave an example of type refinement, where the book token type was 
extended with information about the loan type. There were corresponding changes to 
the relevant transition firing modes. This form of refinement can eliminate some 
abstract behaviour since the refined token requirements of a transition may not be 
satisfied, even though the abstract requirements are. Thus, the firing of the Loan 
expires transition may now be constrained by the loan type. 

The underlying PTN for a CPN has one (colourless) place for each (place, colour) 
combination of the CPN, and one (colourless) transition for each (transition, colour) 
combination. If we relate this morphism to the underlying PTN (in the sense of 
refining the behaviour), then each value will potentially be replaced by a number of 
values (given the additional data components), and hence it is apparent that it corresponds 
to unfolding a place (transition) into a number of places (transitions). This form of 
net transformation (and its converse) have been classified as unfolding and folding 
[ 1 ]. 

3.3.2 Subnet refinement or extension 

The second form of refinement is to add net components — places, transitions and 
arcs, or even additional token or mode values. As a morphism (from refined to 
abstract nets), this would be called a restriction, since net components are being 
discarded or ignored. Where token or mode types are extended, then in contrast to 
§3.3.1, abstraction does not project the additional refined values onto abstract values 
but rather ignores them. (In the equivalent unfolded PTN, this is the same as ignoring 
places, transitions and arcs.) This does not satisfy the structure-respecting requirements 
for a net morphism (def 3.8), but it does qualify as a system morphism (def 3.11). 
Definition 3.15: A morphism (|) ;N ^ N' captures a subnet refinement if: 

(a) The net structure is restricted, i.e. Vp e P: (|)(p) is defined => (|)(p) e P, and 
similarly for T, A. 

(b) Vx E (^(P) u c|)(T): C(x) □ (j)(C)(x) 
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(c) Vxe P uT: Vce C(x): (|)(r(x,c)) = r(x,c) if x e c|)(P) u c|)(T), otherwise 0 

(d) VY e Y: 0(E^(Y)) = ^(E^)(^(Y)) and (^(EYY)) = (^(EY (^(Y)) 

Note: 

(a) The sets of places, transitions and arcs may be restricted by c|) . 

(b) The colours associated with retained places and transitions may be restricted. 

(c) Given the consistent colouring, the morphism is simply defined for all markings 
and steps. 

(d) The restricted incremental effect of the step is the same as the incremental 
effect of the restricted step. This implies that ignored components can refer 
to, but cannot permanently modify, retained components. 

Proposition 3.16: A morphism (]): N ^ N' which captures a subnet refinement 
is a system morphism (in the sense of def 3.11). 

Proof: 

c|) is surjective onP', T', A', and is linear and total on M, Y. 

Given M e Mj^ and an enabled step Y e Y, i.e. M [Y> 

From def 3.15 (c), M' = (|)(M) e M and Y' = (|)(Y) e Y' are both defined 
Y is necessarily complete since N^, is always a single transition. 

The enabling in N means M > E^(Y) and hence (|)(M) > (|)(EYY)) 

Def 3.15 (c, d) implies that (|)(M) > (|)(E^) c|)(Y) and hence Y' is enabled, i.e. M' [Y'> 
Hence, (t)(M - E^Y) + E'^CY)) = M’ - (|)(E^) (Y') + (|)(E^)(Y') 

Hence, ct)(M + E^'CY) - E^(Y)) = M’ + c|)(E’')(Y') - (j)(E^)(Y') 0 

As with type refinement, this result is stronger than that required by def 3. 1 1 in that 
every enabled refined step is complete and has a corresponding enabled abstract step. 
In other words, given the realisation of a refined step, we can determine a realisation 
of the corresponding abstract step. 

In §2 we gave an example of subnet refinement, where the subnet was augmented 
to cater for book reservations. The abstract behaviour of the net was restricted by the 
refinement — if a book can be borrowed given the possibility of reservations (the 
refined case), then it can also be borrowed if reservations are ignored (i.e. the abstract 
case). 

If we relate this morphism to the underlying PTN, then it is immediately apparent 
that it corresponds to a net transformation (and its converse) which have been classified 
&s embedding (or extension) and restriction [1]. 

3.3.3 Node refinement 

The third form of refinement is the replacement of a place (transition) by a place 
(transition) bordered subnet, also called a superplace {supertransition). We refer to 
this as node refinement to distinguish it from the other forms of refinement being 
considered, even though traditional Petri Net theory simply refers to it as refinement 
[1]. The desirable properties of node refinement for CPNs have been considered 
elsewhere [12]. For behavioural consistency, it was argued that the subnet which 
refines a place should have the notion of an abstract marking, and the subnet which 
refines a transition should have the notion of abstract firing. These constraints were 
captured by requiring the morphism to be structure-respecting, colour-respecting, 
marking-respecting and step-respecting. Here, we propose canonical place and 
transition refinements, and in §4 compare this approach to the previous one. In any 
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case, the morphism for a node refinement is both a net morphism and a system 
morphism. 

Definition 3.17: Given a morphism (|): N — > N' then Np, is a canonical place 
refinement of p' e P' provided: 

(a) VpG P-Pp,: VtG T-Tp,: (|)(p) = p a c|)(t) = t a 

(p,t) G A ^ ((p,t) G A A E(p,t) = E'(p,t)) A 
(t,p) E A ^ ((t,p) G A A E(t,p) = E’(t,p)) 

(b) VtG env(Np,):E'(p',t)= X E(p, t) and E'(t,p') = X E(t,p) 

(p,t)eAn(Pp- xT) (t.p)eAn(TxPp- ) 

(c) bd(Np.) = {inpl, inp2, ... outl, out2, ...} 

(d) Pp, =bd(Np.) u {buf} uP^p^^p 

(e) Tp, = { accept 1 , accept2, . . . offer 1 , offer2, . . . } u 

(f) Ap, ={(inpl,acceptl), (acceptl,buf), ... (buf,offerl), (offerl,outl), ...} u Ap^p^^p 

(g) 'inpl c env(Np.) a inpl* = {acceptl } a ... 
outl* c env(Np.) a *outl = {offerl } a . . . 

*buf = {acceptl,...} a buf* = {offerl,...} 

(h) Vx G Pp,-P„p,,p u Tp,-T„p,,p: Cp,(x) = C(x) = C'(p') 

(i) Va G Ap,-Ap„„p^p: Ep(a) = Id 

(i) Vp e P: Vc e C(p): (])(r (p,c)) = l'(p',c) if p e Pp-Pother 

= 0ifpG Pp,p,,p 

= E(p.c) otherwise 

Vt e T: Vc G C(t): (|)(r(t,c)) = I'CCc) if t g Tp, otherwise 0 

Note: 

(a) Apart from the subnet Np, and its incident arcs, the rest of the net is unchanged. 

(b) The flow of tokens across the boundary of the place refinement is consistent. 

(c) The border of the subnet consists of the places inpl , . . . , outl , 

(d-f) The component places, transitions and arcs consist of the basis places, transitions 
and arcs respectively, plus others which constitute the subnet refinement of 
the accept and ojfer transitions (cf. fig 2.4). 

(g) The input (output) border places only have input (output) from (to) environment 
transitions, other arcs incident on basis places are exactly those of part (e). 

(h) The colour of the basis places and transitions are all the same. 

(i) The arc inscription for all the basis arcs is the identity function. 

(i) In abstracting the place refinement, the abstract marking is given by the 
marking of the basis places and the internal actions are ignored. 

Proposition 3.18: A morphism (|): N — > N' with a canonical place refinement 
constitutes a system morphism. 

Proof: 

(|) is surjective on P ', T', A', and is linear and total on M, Y. 

Given M g Mj^ and an enabled step Y g Y, i.e. M }Y> 

Prom def 3.17 (j), M' = c|)(M) g M' and Y' = (])(Y) g Y' are both defined 
Y is necessarily complete since N^, is always a single transition. 

Given the linearity of (|), M > E^(Y) implies (|)(M) > (|)(E^(Y)) 

Prom def 3.17 (a, b), (|)(M) > c|)(E^) (c|)(Y)) and hence Y' is enabled, i.e. M' [Y'> 
Hence, (|)(M - E^Y) + E'"(Y)) = (^(M) - (^(E^)(Y') + (|)(E'")(Y') 

Hence, (|)(M + E’"(Y) - E^(Y)) = (|)(M)+ c|)(E'')(Y') - (^(El(Y') 



0 
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As with type and subnet refinement, this result is stronger than that required by def 
3.11 in that every enabled refined step is complete and has a corresponding enabled 
abstract step. In other words, given the realisation of a refined step, we can determine 
a realisation of the corresponding abstract step. This is not the case for the following 
transition refinement. 

Definition 3.19: Given a morphism (|): N ^ N' then N^. is a canonical 

transition refinement of t' e T' provided: 

(a) Vp E P-Pj,: Vt E T-Tj.; (|)(p) = p a c|)(t) = t a 

(p,t) E A ^ ((p,t) E A A E(p,t) = E'(p,t)) A 
(t,p) e A ^ ((t,p) e A A E(t,p) = E'(t,p)) 

(b) VpE env(N,):E'(p,t')= ^ E(p, t) and E'(t’,p) = X E(t,p) 

(p,t)eAn(PxTi, ) (t,p)eAn(T,, xP) 

(c) bd(Nj,) = {inpl, outl, ... } 

(d) Pj, = {recdl, . . ., sendl, . . . } u 

(e) Tj, = bd(Nj,) u { switch) u 

(f) Aj, = {(inpl, recdl), (recdl, switch), ... (switch, sendl), (sendl, outl), ...} u 

A 

other 

(g) ‘inpl c env(Nj,) u Posher *recdl = {inpl } a recdl* = (switch) a . . . 

outl* c env(Nj,) u Pother ^ sendl* = (outl ) a *sendl = (switch) a ... 

*switch = (recdl,...) a switch* = (sendl,...) 

(h) Vx E P,-P„.,,^ u C,(x) = C(x) = C'(t') 

(i) Va e E/a) = Id 

0) VpeP,-P„.,,-Mo/p) = 0 

(k) Vp E P: Vc E C(p): (|)(r(pv)) = T(P>c) if p e P-Pj. otherwise 0 

Vt E T: Vc E C(t): (|)(r(t,c)) = r(t',c) if t = switch 

= 0 if t E Tj, - { switch) 

= l'(t,c) otherwise 

Note: 

(a) Apart from the subnet N^, and its incident arcs, the rest of the net is unchanged. 

(b) The flow of tokens across the boundary of the transition refinement is consistent. 

(c) The border of the subnet consists of the transitions inpl, outl , 

(d-f) The component places, transitions and arcs consist of the basis places, transitions 
and arcs respectively, plus others which constitute the subnet refinement of 
the border transitions (cf. fig 2.6). 

(g) The input (output) border transitions only have input (output) from (to) 
environment places or the other internal places, the basis places only have the 
incident arcs of part (e). 

(h) The colour of the basis places and transitions are all the same. 

(i) The arc inscription for all the basis arcs is the identity function. 

(j) The initial marking of all basis places is empty. 

(k) The internal marking of the supertransition is ignored by the abstraction and 
the firing of the switch transition corresponds to the abstract firing of t’. 

Proposition 3.20: A morphism (|): N ^ N' with a canonical transition refinement 
constitutes a system morphism. 

Proof: 

(|) is surjective on P ', T', A', and is linear and total on M, Y. 
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Given M g Mj^ and a complete step Y e Y. 

From def 3.19 (k), M' = (|)(M) g M' and Y' = (|)(Y) g Y' are both defined 

Suppose Y is realisable as YjY 2 . . . Y^^ at M 

Consider ct)(Yj) (jtCYj). . -(|t(Yjj ) and, in particular, an arbitrary element (|)(Yj) 

Transitions external to N^, occur in t|)(Yj) exactly as in Yj and are similarly enabled. 

Transitions internal to N^. apart from switch occuring in Y; are ignored in c|)(Y;) 

The transition switch in Nj, occuring in Y; occurs as t' in c|)(Y;) 

Completeness guarantees that border transitions occur with the same mode(s) as t' 

The canonical construction guarantees that the input tokens are consumed first. 

Thus, transition f is enabled in (|)(Yj) 

Finally, defs 3.10, 3.19(b) guarantee that the total effect of Y and Y' are the same 

Hence, (|)(M + E'^(Y) - E^(Y)) = (|)(M)+ c|)(E’')(Y') - c^(E^)(Y') 0 

Definition 3.21: A morphism (|): N ^ N' captures a canonical node refinement 
if c|) has a canonical place or transition refinement. 

In §2 we gave examples of node refinement, one where a place was replaced by a 
subnet to indicate the more detailed processing of a book on its return from loan, and 
one where a transition was replaced by a subnet to indicate more of the details of 
borrowing a book. Again, such refined behaviour had corresponding abstract behaviour, 
but not necessarily vice versa. 

If we relate this morphism to the underlying PTN then it corresponds to the refinement 
of a place or transition by an appropriately-bounded subnet. This form of net 
transformation (and its converse) have been classified as refinement and abstraction 
[ 1 ]. 

4 Properties of Abstractions 

The previous section has defined three forms of CPN refinement which maintain 
behavioural compatibility. In this section we show that even though they appear to be 
quite constrained, they are at least as general as the earlier proposals [12]. 

The earlier proposals reqnired that the flow of tokens across the boundaries of node 
refinements should be consistent with the corresponding abstractions: 

Definition 4.1: A strncture-respecting morphism (|): N ^ N' is colour-respecting 
if C, E' of N' satisfy: 

(a) V x' G F u T ': V X G bd(N,^,): C(x) <: C'(x') 

(b) V(x',y')GA': E'(x',y') = ^ I E(x,y) 

Note: xebd(N„, ) yebd(Ny, ) 

(a) The colour of a superplace or a supertransition must be compatible with the 
colours of the corresponding places or transitions in its border. 

(b) The morphism preserves the token transfer across the interfaces between 
superplaces and supertransitions. 

The above property is satisfied by the node refinements proposed in §3.3.3 as is 
apparent from defs 3.17 (b) and 3.19 (b). The propositions which follow will guarantee 
the converse, namely that the colour-respecting morphisms we consider have 
corresponding canonical node refinements. 

In the earlier paper [12], it was argued that behavioural compatibility required that 
place refinements should have an associated abstract marking which was invariant 
over the internal actions of the subnet. This was captured by the following property. 
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Definition 4.2: A colour-respecting morphism (|): N ^ N' is marking-respecting 
if: 

(a) (|) is linear and total on M 

(b) Vp'G P': VM G M: (|)(M)(p' ) = ^(|)(M(p)) 

PeNp, 

(c) Vp'G P': Mj [(t,c)>M 2 : 

(jtCMjXp') = (|)(Mi)(p') - ^ E(p,t)(e) -H ^E(t,p)(c) iftGenv(Np.) 

pEbd(Np. ) pebd(Np. ) 

= ct)(Mj)(p') otherwise 

Note: 

(a) For regularity, (]) is linear and defined over all components of M, not just 
reachable markings, which would be the minimal requirement. 

(b) The abstract marking of a superplace is determined by the refined markings 
of its constituent places. This is largely implied by requirement (c) but it is 
clearer to state it explicitly. 

(c) The abstract marking of a superplace is only modified by environment 
transitions and not by other external transitions or internal transitions. 

The following propositions elucidate the relationship between marking-respecting 
morphisms and the canonical place refinements of §3.3.3. 

Proposition 4.3: A morphism (|): N ^ N' with a canonical place refinement (as 
in def 3.17) is marking-respecting. 

Proof: This follows directly from def 3.17 (j). 0 

Proposition 4.4: An arbitrary marking-respecting refinement can be transformed 
into an behaviourally compatible canonical place refinement where the internal place 
buf is redundant. 

Proof: 

Build the basis of a canonical place refinement as follows: 

• for each border place with one or more input arcs from the environment, 
introduce a new input border place which usurps those input ares; 

• from each new input border place, add an arc to a corresponding accept 
transition (which is newly introduced), and add an arc from this accept transition 
to the original border place; 

• for each border place with one or more output arcs to the environment, 
introduce a new output border place which usurps those output arcs; 

• from each such original border place, add an arc to a corresponding ojfer 
transition (which is newly introduced), and add an arc from this ojfer transition 
to the new output border plaee; 

• add a new place buf with input arcs from all the newly introduced accept 
transitions and output arcs to all the newly introduced offer transitions; 

• the token and mode type of all introduced places and transitions is that of the 
token type for the abstract place, and the new arcs all have the same identity 
function as inscription. 

This process is illustrated in fig 4.1, where the original components are shaded: 

• the border place b (which has both input and output arcs with the environment) 
is replaced by two border places ib (for input) and ob (for output) 

• there is an accept transition ab eorresponding to the new input border place ib 
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• there is an ojfer transition ob corresponding to the new output border place ob 

• the input arc from the environment incident on b is now incident on ib 

• the output arc to the environment ineident on b is now incident on ob 

• there is a new input arc incident on b and a new output arc incident on b 
Similarly for the other border places a and c. 




Fig 4.1: Arbitrary place refinement 

The behaviour of the transformed net is compatible with the original (see def 3.11): 

• as soon as a token is deposited into a new input border place, the corresponding 
accept transition can fire, depositing a copy of the token into the corresponding 
original border place, and a copy is also added to the place buf 

• as soon as a token is available in one of the original border places with an 
output arc to the environment, then the corresponding ojfer transition can be 
fired, making the token available in the new border place (and thence to the 
environment) 

• given a transition sequence of the modified net, the corresponding original 
sequence can be extracted by ignoring the firing of accept and offer transitions. 

Note that the place buf is redundant (and therefore could be eliminated): 

• when an environment transition of the original plaee refinement deposited 
one or more tokens into the border places, the abstract marking given by 
c])(M)(p') varied by exactly those tokens (see def 4.2(c)). 

• with the new refinement, the same property holds (except that we now have 
new input border places). 

• the removal of tokens from any new input border place (by firing the 
corresponding accept transition) is matched by depositing the token in the buf 
place and in the corresponding original border place. 

• the firing of the original internal transitions did not affect the abstract marking, 
and hence it stays synchronised with the marking of place buf {see def 4.2(c)). 

• finally, the removal of tokens from the original place refinement is now 
matehed by the removal of tokens from the place buf 

Finally, it is straightforward to check that the original subnet has become a subnet 
refinement augmenting the accept and offer transitions of the basis for a 
canonical place refinement. 0 

Again, the earlier paper [12] argued that behavioural compatibility required that 
transition refinements should have the notion of abstract firing. This was captured by 
the following property. 
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Definition 4.5: A colour-respecting morphism (|): N ^ N' is step-respecting if 

(a) (|) is linear on Y 

(b) if Ye Y is realisable at Me M, and (])(Y) is defined with c|)(Y)=Y'e Y' realisable 
at (])(M) = M' e M', then 

V t e bd(N,,): Y(t) = Y'(t') 

(c) if Ye Y is realisable at Mje M leading to M 2 , and (|)(Y) is defined with 
c|)(Y)=(f,c')e Y' realisable at (|)(Mj) = Mj' e M*, then: 

M 2 (p) = Mi(p) - ^ E(p,t)(c’) -t 2,E(t,p)(c') ifpeenv(Nj,) 

tebd(Nf) tEbd(Nf) 

-Mi(p) ifpeP-P, 

Note: 

(a) c|) is linear, i.e. (|)(Yj-i-Y 2 ) = (|)(Yj) + (|)(Y 2 ) provided (|)(Yj), c|)(Y 2 ) are defined. 

(b) The occurrence of border transitions is determined by the abstract firing 
modes. This is largely implied by requirement (c) but it is clearer to state it 
explicitly. 

(c) Of the places external to the supertransition, only the environment places are 
modified and only by the effect of the border transitions. 

Proposition 4.6: Given a morphism (|): N ^ N' with a canonical transition 

refinement N^,, a realisable step Y of N has a corresponding realisable step of N' if 
and only if it is complete. 

Proof: 

Consider a complete step Y realisable as the sequence Y*: 

In Y*, each abstract firing of N^. will include a firing of the transition switch. 

The input border transitions of Nj, will fire prior to the firing of switch. 

The consumed tokens could also be consumed later — just before the switch. 

The output border transitions of N^, will fire after the firing of switch. 

The generated tokens could be generated earlier — just after the switch. 

Hence, the complete firing of N^, could be replaced by the abstract firing of f 
Specifically, the firing of t' could replace the switch transition in the sequence. 
Conversely, suppose a refined sequence is not complete: 

Then the firing of some border transition is not included. 

The corresponding token transfers will not occur. 

Hence, the effect on the environment will not match that oft'. 0 

The following propositions elucidate the relationship between step-respecting 
morphisms and the canonical transition refinements of §3.3.3. 

Proposition 4.7 : A morphism (|): N — > N' with a canonical transition refinement 
is step-respecting. 

Proof: 

Every refined step has a corresponding abstract step. 

If the refined step is complete and realisable, then so is the abstract step (prop 4.6). 
The construction ensures that all border transition have the same occurrence modes 
Hence property (b) of def 4.5 holds. 

Property (c) then follows from def3.19 (a,b). 0 

Proposition 4.8: An arbitrary step-respecting transition refinement with distinct 
input and output border transitions can be transformed into a behaviourally compatible 
canonical transition refinement. 
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Proof: 

An arc to a corresponding reed place is added from each input border transition. 

An arc from a corresponding send plaee is added to eaeh output border transition. 
The subnet is augmented by a switch transition. 

The subnet is augmented by ares from the reed plaees to the switch transition. 

The subnet is augmented by ares from the switch transition to the send plaees. 
Behavioural compatibility can be demonstrated by ignoring the firing of switch. 

It is straightforward to check that the original subnet is a subnet refinement augmenting 
the accept and offer transitions of the basis for a canonical place transition. 0 
The above results demonstrate that the eurrent proposals, while being more 
preseriptive, are just as general as the earlier proposals. 

5 Conclusions and Further Work 

This paper has significantly extended a previous one on the abstraction of CPNs [12]. 
The context is that of refining CPNs while maintaining behavioural compatibility. 
We have identified three kinds of refinement, namely type, subnet and node refinement. 
In practieal applications, it is anticipated that these will be used in concert. Further, 
we have shown that by considering node refinement in conjunction with subnet 
refinement, it was possible to propose a eanonical form for node refinement whieh 
could be extended by subnet refinement to be behaviourally compatibile with an 
arbitrary node refinement (as in [12]). 

We have shown that the proposed refinements all qualify as system morphisms, 
and that the eomposition of system morphisms is also a system morphism. This 
notion of morphism is an extension of that proposed by Winskel [18]. By identifying 
the three kinds of refinement, we have proposed an answer to the question posed by 
Winskel, namely the appropriate kind of morphism for CPNs. 

There are a number of interesting avenues for further work. Given the generality 
of these canonieal forms, we propose to incorporate them into a Petri Net tool, 
thereby supporting the designer in produeing well- structured specifications. By 
imposing behavioural constraints on abstraction, it is possible to use the abstraction to 
prove properties about the modelled system, which is often important for large eomplex 
systems with exeessively large state spaces. We are continuing to investigate the 
range of applicability of these forms of refinement to practical problems [11]. We are 
also developing ineremental reachability algorithms to take advantage of the behavioural 
compatibility [14]. Further down the track, we would like to identify when refinements 
are in some sense independent and hence ean be analysed in isolation. 
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2.1 Definition of Petri Nets 



Definition 1. A Petri net [4] is 4~tuple { 
places, is the set of transitions ( 
baekward ( resp. forward) incidenee application from 
A marked Petri nets is a couple o where 
the initial marking. 



+ where : is the set of 

), ~ (resp. is the 

to IN. 

is a Petri net and o 'is 



Definition 2. Let ( ^ + 6e a Petri net and o Us initial mark- 

ing. A vector of IN^ is called a marking of ; denotes the number of tokens 
contained in place . A transition is fireable at a marking if and only if: 

. The marking obtained by the firing of is defined 
by: — ^ + . One notes, that 

means that is fireable at and reaches . By extension, a marking is 
reaehable from a marking if there exist a sequenee o i n and a 
set of markings i „ sueh that o i i i 2 n n 

The set of reachable markings from o is denoted by o ■ A maximal 

firing sequence is either an infinite fireable sequence or a finite fireable sequence 
leading to a terminal marking (i.e. a marking from which none transition is 
fireable). 
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Definition 6 (Net reduced by a pre or a post-agglomeration). 
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Definition 8. Given a logic ( , and or ) and a marked Petri net 
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Abstract. We investigate structural equivalences on places of P/T nets 
that allow reductions compatible with bisimilarity. This comes with a 
study of two kinds of reductions: fusion of equivalent places, and replace- 
ment of some places by other ones. When effectivity issues are considered, 
we are lead to a variant of place bisimulation that takes into account a 
set of “relevant” markings. 



1 Introduction 



is a formal notion of equivalence between 
places of P/T nets that combines two distinctive features: it agrees with a notion 
of , and it relates equivalent rather than equivalent markings. 

While several early papers adapted Milner’s concept of bisimilarity to the 
transition systems generated by Petri nets [NT84, Pom86], Olderog was the 
first to propose a notion of bisimulation that comes from lifting a bisimulation 
between places [01d89, 01d91]. The main advantage of this approach is that, as 
with many structural methods on Petri nets, it considers the elements (places 
and transitions) of the net rather than the reachability graph (which may be 
infinite). Using Olderog’s method, it was possible to prove that two nets had 
equivalent behaviours just by exhibiting a relation between their places and 
checking a finite number of local constraints. 

The name “place bisimulation” comes from [ABS91] where Olderog’s pro- 
posal is improved and where it was proven that place bisimulation could be used 
to P/T nets (rather than just state two nets have equivalent behaviours). 

are transformations of Petri nets that 
decrease the size. Their main use is as an optimization technique. For such ap- 
plications the reduction must return a net behaviorally equivalent to the original 
one, but smaller in size. This smaller net can be used in place of the original net 
when it comes to implementing the net, or to analyzing it (e.g., for verification 
purposes). 

Place bisimulations yield reductions that preserve the branching-time be- 
haviour. These reductions are (one removes places and transitions. 



M. Nielsen, D. Simpson (Eds.): ICATPN2000, LNCS 1825, pp. 409-423, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 
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and this is what may remove markings) and do not depend on the initial mark- 
ing (or the set of reachable markings). 

The fact that place bisimulations do not depend on the set of reachable 
markings has its pros and cons. On the positive side, this allows polynomial- 
time algorithms, and leads to reductions that are correct whatever the initial 
marking. On the negative side, some reductions that seem obviously correct 
are not given by place bisimulation simply because there exists an (irrelevant) 
alternative initial marking for which they are incorrect. This is the drawback we 
try to alleviate in this paper. 

In this paper we investigate structural reductions of P/T 
nets that preserve bisimilarity and that take into account a notion of which 
markings are relevant. Our starting point is an investigation of what are the 
correct ways of defining an equivalence on places. This departs from earlier 
works where behavioural equivalence is the starting point, and reductions only 
a byproduct. 

We first identify two different, equally natural, reductions based on a notion 
of equivalent places. They are “fusion” and “replacement”. There is a strong 
connection between them but correct fusions only coincide with correct replace- 
ments when we impose (rather strong) structural conditions on the set of relevant 
markings. These theoretical results and the accompanying examples are enlight- 
ening and they help understand why it is quite delicate to take into account a 
set of markings in these structural reduction problems. 

Then, decidability issues impose further restrictions. We end up with a vari- 
ant of place bisimulation that is parameterized by a set of markings, a partial 
answer to what was felt as the main inconvenience of place bisimulation. We say 
the answer is only partial because the set of reachable markings has to satisfy 
some strong closure restrictions. 

We consider bisimilarity as our basic correctness notion 
because it has proven to be a fundamental semantic equivalence in the algebraic 
theory of concurrent systems [Mil89, Mil90, Gla90], because it is more local 
than more classical language-theoretical notions and then often behaves better 
algorithmically, because there exists a very successful verification technology for 
transition systems based on bisimilarity (e.g., [CPS93]), because it has not been 
much studied in the context of Petri nets. 

The work in [ABS91] was continued in [AS92] (studying how true 
concurrency is preserved, and where an algorithm for place bisimulation is given) 
and [APS94] (investigating place bisimulations abstracting from silent moves). 
These works did not start from reduction issues and we find our new approach 
clearer and more natural (also, these works did not try to take into account a 
set of relevant markings). 

Independently, Voorhoeve studied a concept very similar to place bisimula- 
tions [Voo96] . His starting point is also “bisimulation -|- structural equivalences” , 
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but he emphasizes equivalence of behaviours and does not mention applications 
to reductions of Petri nets. 

For optimization purposes there also exists structural reductions that do not 
preserve bisimilarity (e.g., [NKML95, STMD96]). For more specific purposes, 
reductions have also been used as a computational device [Ber86]. E.g., telling 
whether a net is bounded ean be done by reducing it to a normal form where 
boundedness is obvious. Here it is not neeessary that the reductions preserve 
all of the behaviour of the net, only the relevant aspect (boundedness in our 
example) is enough. 

We first recall basic definitions and notations about P/T nets 
and bisimilarity ( 2) . Then we define reductions by fusion ( 3) and by replace- 
ment ( 4). It is then possible to define and study when a correct replacement 
gives rise to a correet fusion and viee versa ( 5). We investigate how correet 
reductions combine ( 6) and show there exists a largest correct reduction, unfor- 
tunately not computable in general ( 7). Place bisimulation is then introduced 
as a computable approximation ( 8) and exemplified ( 9). 

2 Basic Definitions 

N denotes the set of natural numbers. Let = a,b,c, . . . be a finite alphabet 
of 

2.1 Labeled Nets and Their Behaviour 

A is a tuple N = PV, Tjv, FA, fv , where: 

— Pn and Tn are two disjoint non-empty finite sets of and 

respectively; 

— Fat : (Fat Tat) (Tat Pn) N is a (also called fl 

); 

— In ■ Tn labels each transition t Tn with some action ?v(t) from 

We drop the N subscript whenever no ambiguity can arise and present nets with 
the usual boxes and circles graphical presentation. 

Markings are configurations of a net. A M of N can be seen as a 

multiset over P, i.e. a mapping from P into N. This is the viewpoint we adopt 
here. Then M{p) is the number of appearances of place p in multiset M: this 
represents the number of tokens on p in marking M . The set of all possible 
markings is . 

We write M for the size of a marking M (its number of tokens) and, given 
two markings M, M we let A{M, M ) denote the between M and M , 

i.e. the number of tokens one has to move to transform M into M . 
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Given a transition t T, the t and the t oft are the multisets 

of places given by t{p) =' F{p, t) and t {p) =' F{t,p) for any p P. 

A transition t T is in marking M iff p P,M{p) t). An 

enabled transition t may fire, thus performing action l{t). This results in a new 
marking M defined by M = M— t+t {tha,t is, M {p) = M{p)—F{p,t)+F{t,p) 
for any p P) . 

We write N : M * M to denote that M * M is a step in net N. Derived 
notations are “Af * M ” when N is implicit, “M “ M ” when a is l(t), “M “ ” 
when M is not relevant, etc. 



2.2 Bisimulation 

Let N\ = {P\,T\,Fi,li) and N2 = (T2, T2, A2, ^2) be two nets and E, 
be a relation between their markings. 

We say that R has the iff for all Mi, M2 s.t. M1RM2, and 

for all steps A'l : Mi M^, there exists a step N2 ■ M2 M2 s.t. I{t2) = lih) 
and MiRM2- 

If R and R^^ have the transfer property (we sometimes say that R has the 
transfer property in both directions) then A is a between A^i and 

N2 [ParSl, Mil 89 ]. When M1RM2 for a bisimulation R we say that 
and {N2,M2) are bisimilar, written N\,Mi N2,M2- When A"i and N2 are the 
same net, we simply write Mi M2. 

It is well-known that, given any two nets, there exists a largest bisimulation 
between them, and we use [Wi.ATa] to denote it. When N\ = N2, the largest 
bisimulation is an equivalence. Our proofs that relations are bisimulation of- 
ten use basic properties (like [AfaWa] [Wi.ats] [Wi.Afs]) Milner’s “up 
to” technique [Mil 89 ]: we say R has the transfer property 

if M1RM2 and Mi Mi imply that there exists a M2 M2 with M\R M2 
for R =' [Wa.ATa] ^ [Wi.ATi] (and l{t2) = Then R has the transfer 

property. 

3 Reduction by Fusion 

is a natural way of reducing nets, based on the general idea of quotients 
of structures. 

Consider a net N and assume B P P is an equivalence relation between 
places. Then N can be reduced by fusing P-equivalent places into a single place. 
This yields a new net denoted N/B. We write p/B for the equivalence class 
of p (and then for the fused place in N/B). The transitions are untouched but 
the arcs between places and transitions follow the fusion process: formally, if t 
(resp. t ) is pi, . . . ,pk in TV, then in N/B, t (resp. t ) is pi/B, . . . ,pk/B . 
A marking M in TV is fused into a marking m = M/B in N/B. m and M have 
the same number of tokens. Fig. 1 gives an example where B relates p2 and p4. 




Bisimulation and the Reduction of Petri Nets 



413 




N 



r> u 

B = P2 = P4 



N/B 



Fig. 1. Fusion of places as a reduction method 



Fusing places modifies the behaviour, but only in one direction: it adds new 
behaviours. This is captured as 

Fact 3.1. M * M N M/B * M /B N/B 

This implies that _/iJ, defined as (M, M/B) M , has the transfer prop- 

erty from N to N/B. 

A fundamental property is the following weak converse: 

Proposition 3.2. m * m N/B M 

M N m = M/B m =M /B M * M 

Assume m * m . Write M\ for t m. N and pick any M 2 s.t. M 2 /B is 
rn — {Mi/B). Then, in N, M * M for M = M\ + M 2 and M = t + M 2 . 
Clearly, M / B = m . 

An equivalence B between places can be lifted to an equivalence, written B, 
between markings. Formally, if piBp^, . . . ,pnBp^ then pi, . . . B . 

Note that MBM iff M/B = M /B, i.e. 

B = UB)-^ UB). (1) 

Now, a direct reading of Prop. 3.2 gives the following 

Fact 3.3. B B 

4 Reduction by Replacement 

is a second natural way of reducing nets, this time based on the 
general idea of homomorphic images of struetures. 
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Consider a net N and assume h \ P P is a, projection, i.e. for all p P we 
have h{h{p)) = h{p). In TV a place p can be replaced by h{p) whenever h{p) = p. 
This yields a new net, denoted h{N). 

More precisely, h{N) is obtained by redirecting all output edges of transi- 
tions by their projections: if t = M = pi, . . . ,pk in A^, it becomes h{M) =' 
h{pi ), . . . , h{pk) in h{N). All places not in h{P) are removed, all transitions 
that have some input place removed are removed as well. A marking M in N 
yields a marking m = h{M) in h{N). m and M have the same number of tokens. 
Fig. 2 gives an example where ps, and then ts, are removed. 



Pi P2 Pi P2 





N /l “= “P3 l--> P 4 ” ^(-^) 

Fig. 2. Replacement of plaees as a reduction method 



Replacing places modify the behaviour in the following way: 

Fact 4.1. m * m h{N) m, * M N M h{M ) = 

m 

There is a weak converse: 

Fact 4.2. M * M N h{M) = M M * h{M ) h{N) 

5 Correct Reductions 

We are only interested in . Informally, a correet reduetion is a 

reduction such that the redueed net A^ is a correet variant of the original net 
N. 

In this paper, we investigate formal notions of correctness 

1. grounded into bisimilarity, and 

2. only applying to a given set of markings (called ). 
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5.1 Relevant Markings 

In all the following, we assume is a set of relevant markings. Typical 

examples are “the set of all markings reachable from some initial Mq”, or “all 
markings with three tokens” . 

Compared to earlier works on place bisimulation, we remove the basic (im- 
plicit) assumption that all and every markings of the nets under study are mean- 
ingful. It was a very strong assumption, resulting into a very conservative view 
of when two places are bisimilar. 

This is why our new assumption is that we only aim at correction relative to a 
given set of relevant markings. In a sense, this work can be seen as extending the 
earlier place bisimulation theory to a framework with relevant markings. But, 
in addition, the paper also brings a new viewpoint: here we focus on reductions 
while the earlier works focused on semantical equivalences. We think the new 
viewpoint is clearer and more natural. 

5.2 Correctness for N with y4. 

Assume N comes with a set of relevant markings. A reduction is correct if all 
relevant markings are reduced into bisimilar markings in the reduced net. The 
other (= irrelevant) markings are not considered for the correctness issues. 
With this in mind, the following definitions are natural: 

Definition 5.1. B P P correct fusion N 

N, M N/B, M/B M 

Definition 5.2. h : P P correct projection N 

N,M h{N),h{M) M 

We are interested into the connections between these two definitions. Indeed, 
any projection h : Pn Pn naturally induces an equivalence Bh given by 
pBfiP ° h{p) = h{p ). Can we say that Bh is a correct fusion iff /i is a correct 
projection ? It turns out this is not the case in general. 

Fact 5.3. h N, 

Bh 

Figure 3 gives an example where h =' ps Pi, Pi Pi is 
correct (for the set of reachable markings) but Bh, “pi ps Pi\ is not. 

Another example is provided in Figure 4 where h “= p^ p 2 , Pi 

f def 

P 2 and = Pi . 



Fact 5.6. 



h 



B = Bh 



B 




416 Philippe Schnoebelen and Natalia Sidorova 




Fig. 4. /i = p3 



P2,P4 P2 is correct and Bh, “p2 P3 Pi \ is not 



Figure 5 gives an example where B, “pi p2 \ is a correct fusion 
(for the set of reachable markings) but where no h is correct (the figure 
illustrates h=p\ P2 )■ 



Another example is provided in Figure 6 with B given by “p2 
Pa” and h p2 ps . Here =' pi 

It turns out that all these difficulties come from the sets we picked in these 
examples. They disappear when we impose restrictions on possible choices for 

Given N and a set of markings , we say that is , li M and 

M M entail M . The sets in examples 5.4 and 5.7 are succ-closed by 
construction. 




Pl2 

“O 

h(N) 



Fig. 5. B, “pi 



is correct and h = p\ p2 is not 
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Secondly, given an equivalence -B, we say that is B-closed if M and 
MBM entail M . The sets in examples 5.5 and 5.8 are B-closed. 

We can now state the following crucial property, explaining how when is 
succ-closed and B-closed, checking whether B is correct can be done by inspect- 
ing N only. This lemma will be of great help because, in general, it is difficult 
to tell whether a given B or h are correct: indeed, for this we have to compare 
behaviours in N and in N/B, or h{N). 

Lemma 5.9. B B 

Bn{ ) 

N 

( ) This is obvious when = , using (1) and the assumption that 

_/B is a bisimulation. In the general case, B-closure of gives that B D ( 

) = R where R= {M,M/B) M is included into [n,n/b] (by 

assumption). 

( ) Now assume B n { ) is included in , and define R = (M, 

M/B) M . Fact 3.1 and succ-closure of implies that R has the transfer 
property. 

For the other direction, the reasoning underlying Fact 3.3 applies even when 
is taken into account. As a consequence, R is included into \n,n/b]^ so that 
B is a correct fusion. 



Theorem 5.10. h Bh 

h N, Bh N, 

( ) Assume h is a correct projection and consider M\ . Let M 2 

s.t. h{Mi) = h{M 2 ). Correctness of h implies N,Mi h{N),h{Mi) A", M 2 
(since M 2 ), hence M\ M 2 - Thus Bh [w,at] H( ) and Lemma 5.9 
concludes. 
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( ) Now assume that Bh is a correct fusion. Lemma 5.9 and the fact that 

MBhh{M) give that N, M h{N),h{M). 

Our earlier examples show that succ-closure or i?-closure alone is not sufficient 
for Theorem 5.10. 

When is the set of all markings, closure is guaranteed and fusions or 
replacements coincide. In the following, whenever is succ-closed and i3-closed, 
we speak of correct equivalences without more precision on whether we mean 
fusions or replacements. 

6 Combining Correct Reductions 

Correct reductions can be composed, but the natural ways for composing pro- 
jections and for composing fusions are not the same. 

Lemma 6.1. hi N, /i 2 

hi{N),hi{ ) hi{ )=' hi{M) M ) h2 hi 

N, 

Direct from Def. 5.2 and transitivity of bisimilarity. 

Furthermore, if is succ-closed and B/^-closed, and hi{ ) is B/ij-closed, then 
is succ-closed and Bh 2 -closed. 

Now let Bi and Ba be two equivalences and assume is 5i-closed, i? 2 -closed 
and succ-closed. Then 

Lemma 6.2. Bi B 2 N, B = {Bi B 2 ) 

Bi B 2 N, 

Once we notice B-closure of and B = {Bi B 2 ) , Lemma 5.9 does all 
the work. 

A related question is whether, assuming B is a correct fusion, all more con- 
servative reductions are correct too? Here, the intuition underlying the question 
is that an equivalence relation can only be incorrect by making too many iden- 
tihcations, not by making too few. 

Let H be a correct fusion for some N, (assuming is H-closed and succ- 
closed), then 

Lemma 6.3. B B B B 

Use Lemma 5.9 and B B. 

This question can also be investigated in terms of projections: let h be a 
correct projection and h = h 2 hi. Is hi correct? 

Lemma 6.4. h = h 2 hi N, Bh 

hi N, 

First, note that Bh^ Bh and that is Bhi-ciosed. Now, if /i is a correct 
projection then (Theorem 5.10) Bh is a correct fusion, hence (Lemma 6.3) Bh^ 
too, hence (Theorem 5.10) hi is a correct projection. 
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7 The Largest Correct Fusion 

An immediate corollary of Lemma 6.2 is the following: 

Theorem 7.1. N, 

We write R{N, ) for this largest correct fusion. All the equivalences that are 
subsets of R{N, ) are correct fusions (Lemma 6.3). 

Now let be a net with a succ-closed set of relevant markings . We would 
like to compute R{N, ) and use it for reducing N in the most efficient way 
(w.r.t. ). Unfortunately this is impossible because of: 

Theorem 7.2 (Undecidability). R(N, ) 

= N^ 

The proof is long, technical and is omitted. Basically, it shows that the prob- 
lem of telling whether two places p and q are such that Id {p, q), {q, p) is a 
correct fusion for N, is undecidable. This reuses ideas from [Qui95] , extend- 
ing Jancar’s technique [Jan95] to a setting where all possible markings may be 
considered. 



8 Place Bisimulation 



Since R{N, ) cannot be computed in general, we settle for a computable ap- 
proximation: 

In the following we assume a net N and a succ-closed set of relevant 
markings are fixed. The following definition extends earlier proposals from [AS92, 
APS94]: 



Definition 8.1. fi 

lation N, B 

Ml * Ml M2 “ M2 

Hence a place bisimulation is a H s.t. B n ( 



B P P place bisimu- 

Mi^M 2 M1BM2 

M{BM 2 l{t) = l{u) 

) has the transfer property. 



Fact 8.2. 



N, 



Proposition 8.3. N, 

B{N, ) 

Similar to the proof of Theo. 7.1. 

Clearly B{N, ) R{N, ). 



The definition we gave is not very effective, and it does not give a direct way 
to see whether B{N, ) is computable. Indeed, given a potential B, checking 
whether B Cl { ) has the transfer property involves checking an infinite 

number of situations (if is infinite) . 

We now explain how to reduce this to a finite number of checks. 
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Definition 8.4. minimal covers t C{t) 

M t M 



Here “M minimal” means that M and t M M imply M = M . 

Note that Dickson’s lemma implies the finiteness of C{t) for any t. C{t) can 
be empty if there is no way to enlarge t into some element of 



Definition 8.5. 


B P P 


weak transfer property 


B 


t T P t 


q P pBq 


Ml C[t) 


e 

II 


M2 Ml — p + q 


M2 “ M2 


M3BM2 Ml Ml 





Hence the weak transfer property is the transfer property restricted to pairs 
Ml , M2 and steps Mi * Mi where Mi is in the minimal cover C {t) and where 
M2 differs from Mi by only one token. Since this is a weaker property, we have 

Fact 8.6. B{N, ) 

Lemma 8.7. B B B 

We show that Bf){ ) has the transfer property, i.e. “for all M1BM2, 
for all Ml Ml, there is a M2 s.t. by induction over the pair 

( Ml , A{Mi, M2)) ordered lexicographically. 

So let us assume Mi Mi and M1HM2. Write n for Z\(Mi,M2). We dis- 
tinguish four cases: 

1. n = 0: then M2 = M\ and we are done. 

2. n = 1 and Mi C{ti): then we are exactly in the situation where the weak 
transfer property applies. 

3. n > 1: then there is a M3 s.t. M1HM3HM2 and A{Mi, M3) < n for 
i = 1 , 2 . By ind. hyp., we can transfer Mi Mi to some M3 M3 that we can 

then transfer to some M2 M2. We have M1BM3BM2, hence M1HM2. 

4. Ml C{ti): then there is a Mip C{ti) s.t. Mip Mi. We decompose Mi 
as Mip -|- Mi^ 2 and M2 as M24 + M2, 2 s.t. MiyHM2y for i = 1,2. Mi,i Mi 1 
and the ind. hyp. transfers this into a M2,i Af2,i with Mi iBM2^\. We com- 
plete into M2 M2 "= M21 + M2, 2 and have M1HM2. 

We have the immediate corollary: 

Theorem 8.8. fl B 

B{N, ) 

Finiteness of C{t) implies that checking whether a given B has the weak transfer 
property only involves a finite number of checks. Therefore the following abstract 
algorithm computes B{N, ): 
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Algorithm 8.9. a labeled Petri net N, and a succ-closed set of relevant 

markings. 

B{N, ). 

Let B = E{N, ), “the largest place equivalence under which is 

closed” . 

Check if B has the weak transfer property: 

— If it has, then B is B{N, ). 

— Otherwise, there is a t T, a M C{t), a p M, a q P with pBq s.t. 
M * M can not be imitated from M — p + q. Then remove the pairs {p, q) 
and (g,p) from B and return to step 2. 



This algorithm is obviously correct and stops after a finite number of steps. Its 
complexity depends on the size of C(t), and the cost of computing C{t) and 
E{N, ). 

Note that it is possible to run the algorithme starting with any equivalence E 
included in E{N, ) (i.e. any E such that is Li-closed), and obtain the largest 
place bisimulation included in E, a safe approximation of B{N, ). 

9 Place Bisimulation in Practice 

When we want to use Algorithm 8.9 in practice, we face 
two problems: we need some effective way of computing C(t) for t T, and we 
need to compute E{N, ) that will be the hrst upper approximation of B{N, ). 

Whether this can be done depends on how is given. In the simple case 
where is finite, then C{t) and E{N, ) are computable in a direct way. More 
interestingly, when is given by a Presburger formula (i.e., is a semilinear 
set) then C{t) and E{N, ) can then be defined by Presburger formulas, and can 
be effectively computed: indeed assume P = pi, . . . ,pk and is given by the 
Presburger formula . . . ,nk)- Then (pi,pj) E{N, ) iff . . . ,nk) 

rii > 0 entails 'tpi'ni, ■ . ■ ,rii — 1, . . . ,rij + 1, . . . , Uk)- 

As far as we could judge by dealing with a few examples, the 
equivalences we compute with Algorithm 8.9 are not much of an improvement 
over the classical notion of place bisimulation where all markings are considered 
as relevant. 

The reason seems to bo that, when using Algorithm 8.9, wo first have to give a 
succ-closed set . If this is a large set, then it contains many irrelevant markings 
and this defeats the purpose of our study. If is as small as possible (e.g., it 
contains only the reachable markings) then this may impact the equivalence 
E{N, ) computed in and make it quite drastically limited even before it 

is refined into a place bisimulation. 

In the end, we can only argue the usefulness of our definition with ad-hoc 
examples, so that it seems like it is mostly a theoretical contribution to place 
bisimulation. Our hope is that this contribution can be combined smoothly with 
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the ideas from [APS94] where silent moves are abstracted from, and that this 
combination does work well in practice. 

10 Conclusion 

This paper proposed a new point of view on Petri net reductions based on the 
bisimilarity notion, and that do not aim at correctness for all markings. 

We started with a net N and looked at reductions that lead to bisimilar 
configurations for any of the markings in some set . It turns out restrictions 
must be imposed on in order to get a smooth theory. 

Since the largest correct reduction is in general not computable, place bisim- 
ulations is an elegant close approximation. We gave an abstract algorithm com- 
puting the largest place bisimulation when is given in a sufficiently effective 
way. 

These results shed a new light on earlier works on place bisimulation. Having 
reductions in mind from the start help understand why place bisimulation cannot 
cope easily with arbitrary set of markings. Indeed, we end up with quite strong 
restrictions on the set which, ideally, we would like to consist of the reachable 
markings only. 
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Figure 2 
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Figure 3 
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Theorem 3 . Let N\, N2 and be nets. 

i) VnLiP^ nLiIi nLiOi,thenN, N2 Ns N, N2 N3 , 

which includes that one side is defined if and only if the other is. 

ii) If Ni N2 Ns is defined and either Ni N2 Ns is not defined or 
it is different from Ni N2 Ns, then Ni, N2 and Ns have a common 
interface place that is only an output place of N\ and only an input place of 
N2 or vice versa; compare Figure 3 . 

Hi) If Ni is faster than N2 (both testable), then Ni and N2 have the same input 
and the same output places, and for each common interface place p, we have 
that p in N\ if and only if p in N2, and similarly for the presets, 
iv) Faster-than is a precongruence for testable nets. 



Proof, i 




i t 






p 




g t 




t 


t t 


th 


t it i y t 




th t 


ith 




t t 


P 








th 




iti 






i ti 


i 


t 




t 


t 






t 






th 






ti g 


g 


P t 




gt 


Ni th 




iti 


ith Ni i 




t i 


y 






t p 


i h it 






i 


t: 


i 




th 


th 






h 










i ti 






P 






y 


N2 


Ns 




















t p 




y 


i 


t 








th 




t 


i it 


i 


t t 






th 


t 


th 




i t 




i 


t 






t 






h 


p h 


i 




t 


t 




P 


i 


t 


t 




t 




g Ns 


th th 




i 


g i 


i 


th 










tb 


L t h 


i 


i 


th t th 


i 






p i 


N2 








ty 




ith 


i 


Ns 


h 






th 


ight h 


i 




i 


th t th 


i 








P i 


N2 


Ns 


hi h 




th t th 


i 




i 


N2 






i 


Ns 


th 




i 


i 


t 


p i 


th 


th 


i 


th 


t 


i 




th 






t 


P i 


th 


th t 




g 


P P 


i 


y 




i 


t 






th 






t 








ii 




th 


hy 


th 


i h 




th 




y i 


th 


t 




i 


t 




P 




th 




t th t 


i 


t 


i 




t 




th 


t 


t 


t 




th 




th 


i 




i th 


P i 




ith 


t 


g 


ity 


i 


t 




iVi 


N2 




y 




t 


t 




Ns 


y th 






Ni 


N2 


Ns 


th 


tt 






th t 




ith 


i 


Ns 


i 


N2 th 




t p 


th 




P i 


t 




t 


t 








Ns 


N2 h 


i th 


th 


th 










p 


h 


p i 


i 


t 


i 


thi 


th 


t 


hi h i 



t i ti t 



ti 



g 




iii 


p i y 


i 


t 




Ni 


i 


t 


t 


t U ith i t 






i ti 


g OJ th 




p ith 






P 


i Ni U i 


t 






ith i N2 


u 




th 


y i 






i th 


t p i 


i t 








t t t 


t 






N2 ith 




g 


t 






th t 


th 


i t 


Ni 


N 


2 


i 


i g th ty 


i 


g i 


i 


ith th 


i 


X 


ti 


th t th 


ight 






P 




Ni ith p 


P2 


i 








t p h 








g P 




y 




ti 




t 




i 


t t t U 


ith i 


t 


u) i 




t 


p 


g i 




iti 


ith [ 7 : 


i 


Ni 


h 




N2 




th 


t p 


t 


i t 








N2 th 


th 


X 


ti 


i i t 




t i 












h 


t i 


ti 


h 




th t p 




i N2 


t 


U i 


thi 




i 


ti ith t 






p 




th 






i 


P 


Pi 


Oi 


g 


g 


t 




th 














i 


t iVi t 


th 


N2 


t N 




th t 


t 


t 


iii 






th t iVi N 


i 




i 


N2 N i 




hi h 








th t 




iti ith N\ 


N 




N2 


N i 




th 




t t 


t 


t 


U,D 


t t th t iV 2 


N 


ti 


h 


t 


h th t iVi N 


ti 


th 


t t 




























ti 


ti 




th 


h i N2 


. N 


u 


Ni N U 








y 


i ti 


ity 


i 


th 1 


th 


N2 


ti 


N 


U,D 








ti ti 






th 


t N2 




N U 


th 


iVi 


ti 


N 


U,D 


























i ti ity i 






yii 


t g t 




i t 






Ni N2 N 




[/ th t g i 


y 




i 


t Ni 


N2 




y iii 




y 


t 


t 


N 






h 


P N, 


Ni p 


P 


N2 


N2 p 


p 




N 


N p p 




y 


Ni 


i t th 


N2 




iti 


ith N i 






th th 


t 






Ni N 


N 


i 


hi i 


P 




P 


t i th i 


i t 






h it 




t 


i 


7 Vi 


N2 N 




U 




ti g thi g 


t 




i t t 


h 




i ti 


ity 




i 



t th t y ii i 


t i ti 


th 


i h 


th t ith 


it i g 


y hi 


i ti ity 







4 Characterization of the Efficiency Preorder and a Proof 
Method 
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Lemma 5. 


Let 


N be 


a net, t 


T,p 


/ and q 0. 


In 


, TM 


pr TM 


implies TM 


p^t 


pr TM and ! 


TM p^t 


pr TM implies 


TM tp- 


pr TM . 



Lemma 6. Let N and U be nets sueh that Nq N U is defined; let Up be 
obtained from U by deleting P. Let TMq and TMq be timed markings of Nq, let 
TM p and TM p be their restrietions to the plaees of Up, and TM and TM their 
restrietions to the plaees of . Lett Tq, sueh that t P pi,...,pn 
and t P qi, ... ,qm in ease that t Tp . 

1. If t T, then TMq t TMq if and only if TM t pr TM and TM p TM p. 

2. If t Tp, then TMq t TMq if and only if TM pf . . .pfqi ■ • • 9™ pr TM 
and TM p t pr TM p. 

3. TMq a TMq if and only if Mp M°^'^ p Mp and there exists some X 
such that TM X p^ TM and, for all t Tp, Mp t implies either /3p t 

M°^‘^pt p t P p^ X or [3p t p t P p^ X. 

Proposition 7. Let Ni, and U be nets such that I\ U, 0\ O 2 , 

PR Ni PR N 2 and Ni U and N 2 U are defined. Then, for each w 

TPS Ni U with ( w n reaching the timed marking TM 1 and ending with 
a a, there exists a v TFS N 2 U with ( v n reaching the timed marking 
TM 2 and ending with a a such that TM\ and TM 2 coincide on Sp Pi. 



Proof. 


yi g 


w 


it 


tri 


PRS Ni 


i g 


ith 




t 


h i 


th 


i 


U t th 


t u 


PR Ni 




PR N 2 




i gt tri 






yi g^'2 


PRS N 2 


i g 


ith 




t 


hi h 


t 


t t; t 


i ith th 


h i 




th i 


U 


i g g i 




t th 


t th ti 


i g 


Sp 


Pi 


h g 


th 


y gw 


V 














h 


y 




t 


h 


t ti g i 


th t 


i 


ti 



i it pj^ ...p.„ql ...q+ i V 2 t thi ight 

t y it ith t iti T 2 thi t V 2 

i g h th t ii2 h th 



y 




m 



mm 



Theorem 8 . Let Ni and be testable nets. Then Ni N2 if and only if the 
syntactie and the semantie property as follows hold: 

syntactie property: I\ I2, 0 \ O2, and for eaeh interfaee plaee p, we have 

that p in N\ if and only if p in N2, and similarly for the presets; 
semantie property: PR Ni PR N2 ■ 

Proof. 1 y iti ith Ni N2 i th t 
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Theorem 9. 


is a precongruence w.r.t. relabelling and in- 


and output hiding. 
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If there exists 
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simulation from N\ to N2, then N\ 
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Conclusion and Work in Progress 
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3 Examples 
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m n 



n n n 

n m 
n m 

n m 



n n 
n n 

n n 



n 

n 

n 



n 



mm 



n 



m n 




pp 



p 




Fig. 6. 



m 



‘rejpkt- sbufse^pkty2+ |sendline+ 




Transforai 

directly 



rejpkt+ J 

sbufsendpkty0+c^3 



ackline+ 




Distinguishability constraint 
violated: {rcjpkt+} c {rcjpkt+,rcq+} 

sbufsendpktyl+ 



Introduce^ dummy output signal 



rejpk^ 



f rejpkt- sbufse^pkty2+ j^endline+ 







^ Transform (BJ rsjpW+/ (e) ackline+/ 

req+ iranSTOrm W^buftendpktyCH>>^^tafe™dpktyl+ 



Remove dummy I output signal 



dummy+ 



ackline+ 



sbufscndpktyH 



, \ valid 

XBMM 




Fig. 7. n n n m 



n n m n 

m n ( 

( n n n nn 

nnnnnn n m 

n n n n n 

n m n n 

m n n ( n 

n n m n m 

_ m m n n 

nn m m n 

n n 

m n m n m n n 

petrify n m n 3D n 

n n m n n n 

n n n m n n n 

n m ( m n m n 



n n 

n 



3.4 Results 

m n m 

n m ( 



n 

n 



m 

n 



m 

n 



pp 



p 




p p 




Fig. 8. 









n 


m 












n 


n 


n 










m 


n 






m 


n n 


n m 


m 


m 




n 






n 


n 






n 




n 


n 






n 








m 


n 


m 






n n 




n 


m 


n n 








m 








n 




m 


n 






n 


m 




n m 








n 




n 






m 




n m 












m 




n 


n 




n m 


n 






n 


n 


n 






n m 








m 




n 
















n n 






m n 




n 










n 






n n 




n 


n 


( 














n n 


n 


n n 


n 



4 Conclusion and Future Work 



11 

n 



n n 

n n 

n n n 



m n 
n 

m 



n 

petrify n 

n 

n n n 

m n 
m fl 

n 

n n 
n n 



n n 

n ( 

n n 

m n 3D n 

n n n 
n 



n 

n 

m n 



n n 

n 

m n 

n n 



( 

( 



n 



n 



m n 



n m 



n n 
n n 

n 

n 



n n 

m 
n 



n 



Circuit 


signals 

I/O 


XBM 

feasible 


XBM 

feasible 

after 

decompo 

sition 


signals after 
MOC 

decomposition 

(I/O) 


signals after 
parallel 

decomposition 

(I/O) 


states of XBM 
machine(s) 


stnl 


2/3 


no 


yes 


2/2 -H 3/ i 




4-(-4 


alloc-oiitbound* 


4/5 


no 


yes 


6/3 -t- 4/2 




8-f4 


mp-forward-pkf^ 


3/5 


no 


yes 


4/4 -r 2/1 




4-(-3 


nak-paa^ 


4/6 


no 


yes 


5/5 -H 4/1 




6-h2 


pc-rcv-ifc* 


4/7 


no 


no 






- 


ram-rcad-sbuP 


5/6 


no 


yes 


6/5 -t- 3/ ! 




7-t-3 


rev -setup* 


3/2 


yes 


- 






6 


sbuf-iani -write* 


5/7 


no 


yes 


4/5 -H 5/2 




6-(-4 


sbuf-rcad-ctl* 


3/5 


no 


yes 


4/3 -t- 3/2 




5-(-3 


sendr-donc* 


2/2 


no 


yes 


2/1 -t-2/1 




2-(-3 


hazard 


2/2 


yes 


- 






4 


async99 


3/3 


no 


yes 




3/2 -H 3/1 


4-(-4 


c_sg 


4/1 


yes 


- 




2/1^ 


2 


c_sgl 


4/2 


no 


no 






- 


c_sg2 


4/2 


no 


yes 




2/1 -r2/l 


3-(-3 


dcko2 


3/1 


yes 


- 




2/1^ 


3 


five 


6/5 


no 


ves 




2/1 -f 2/1 -(-2/1 -1-2/1 -1- 1/1 


3 -(- 3 -(- 3 -(- 3 -(- 2 



a. Only redundant input signals were removed 



Table 1. m n 



References 



p 



p p 



p 



p p p 




p 



p 



p 



p p 



pp 



p 



p 



p 



^n.Spect 6.4 

An Executable Specification Tool for Hierarchical 
Colored Petri Nets 



Wil M. P. van der Aalst', Poul J. N. de Crom^, Roy R. H. M. J. Goverde^ 

Kees M. van Hee‘ ^ Wont J. Hofman^ Hajo A. Reijers''^, Robert A. van der Toom'’^ 

'Eindhoven University of Technology, 

Department of Mathematics and Computing Science, 

P.O. Box 513, NL-5600 MB, Eindhoven, The Netherlands 
(wsinwa, wsinhee, hreijers, rvdtoom}@win.tue.nl 

^Deloitte & Touche Bakkenist, 

Department of Information and Communication Technology, 

P.O. Box 23103, NL-1 100 DP, Amsterdam ZO, The Netherlands 
(pdcrom, rgoverde, kvhee, whofman, hreijers, rvdtoornj@hakkenist.nl 



Abstract. Ten years ago Ex5pecf became available on the market. Since then a 
lot of modeling and simulation projects in logistics, workflow and electronic 
commerce have been performed using ExSpect. In the past ten years the heart 
of ExSpect, the simulation engine, has never been changed: it still executes 
models of hierarchical, timed, colored Petri nets with priorities. Over the years 
new features have been introduced based on user requests. Three extensions 
dominate the new functionality of ExSpect. The first is ‘ease of use’ in 
simulating and carrying out quantitative analysis of workflows. The second is to 
view Message Sequence Charts for electronic commerce applications using 
ExSpect. The last is the integration of ExSpect and applications; i.e., to use 
ExSpect to handle the /low of control for other applications. 



1 Introduction 

ExSpect is a simulation and animation tool for hierarchical timed colored Petri nets 
with priorities [9]. The first version of ExSpect was launched ten years ago and is 
described in [10]. Since then the tool has been used both in the academic and in the 
business world. ExSpect should he compared for instance with tools such as 
Design/CPN, CPN-AMI and Great SPN (see [17] for pointers). ExSpect proved to he 
particularly successful in the fields of workflow management, logistics, and electronic 
commerce. The deployment of the tool in workflow and electronic commerce projects 
required a number of new features. We will discuss the three most important new 
functionalities of ExSpect. 

The first feature has been developed to meet consultant needs simulating business 
processes with ExSpect. In workflow management the use of workflow management 
systems (WFMSs) to support business processes (also called workflows) is 
widespread. Until now these WFMSs have poor simulation and verification facilities 
[1]. For organizations it is, however, extremely important to verify and simulate new 

M. Nielsen, D. Simpson (Eds.): ICATPN 2000, LNCS 1825, pp. 455-464, 2000. 
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business processes before implementing them. Ex5pect does not have verification 
options like, for instance, Woflan [16], but Ex5pect-simulations are useful for various 
reasons. 

The graphical animation of a workflow is a good way to provide feedback to 
the owners of the workflow, i.e., employees of an organization. Eor instance, 
the sequence of tasks can be checked for correctness. 

The quantitative analysis of a workflow process gives insight into waiting 
times, service times, throughput times, occupation levels and queue lengths. 
Moreover resource allocation scenarios may be carried out in order to optimize 
the distribution of resources over processes and tasks. 

Quantitative analysis of workflows is facilitated by a large number of statistical 
functions (all listed in the Ex5pec/ help file [6]) and a large library of workflow 
building blocks. Building blocks are predefined Petri net structures with a particular 
function in a workflow, for instance the creation of a case or the choice between two 
paths according to a certain mathematical distribution. A case study in which these 
qualities of ExSpect are exploited is described in [14]. However in practice 
constructing a workflow simulation model in ExSpect to perform quantitative analysis 
was often too expensive (in terms of costs and time) and could only be carried out by 
someone with a deep knowledge of the ExSpect workflow library. To achieve ‘ease of 
use’ it was very fruitful to develop translators. Translators are applications that are 
able to read a workflow process definition created in tools solely dedicated for 
workflow design and translate this definition to an executable ExSpect specification, 
using building blocks from the workflow library. This resulted in the applications 
C02EX and Prospect. These applications are interfaces (i.e., links) between 
respectively the tools COSA® [15] and Ex5pect and PROTOS [13] and Ex5pect. 

The second feature has been developed to meet customer requirements for 
specifying message exchange between information systems to support electronic 
commerce. Important application areas in this respect are the business-to-business and 
business-to-administration communication [2]. The integration of business processes 
of a large number of organizations is the central issue. Organizations, also called 
actors, exchange information to support their business processes. Modeling the 
interaction between these actors in ExSpect can be done easily because of the 
expressive power of ExSpect. However, it appeared to be a problem to present 
complicated ExSpect models to persons without a Petri net background. It is easier to 
provide them with interaction scenarios derived from an ExSpect model. This 
motivated the extension of the ExSpect Dashboard (see Section 2) with the option to 
generate Message Sequence Charts [5] during a simulation run of ExSpect. Note that 
these Message Sequence Charts correspond to Sequence Diagrams in UML [3]. 

The third feature is the ‘componentization’ of the ExSpect engine. There is an 
ongoing trend in software engineering to separate the specific functionality of 
applications from ‘standard’ functionality and make a software component of the 
separated functionality. This has been done with ExSpect as well. The ExSpect engine 
has been separated from the other parts of the ExSpect application and has been 
‘componentized’ according to the Microsoft COM standard [12]. The new component 
is called the ExSpect Server. The ExSpect Server is particularly useful in applications 
with a complicated flow of control. Moreover customers require more often not only 
an ExSpect simulation of the system specification but also an ExSpect prototype of the 
system that is able to operate in the environment of the system in mind. To meet such 
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demands it is necessary to have a tool that can be integrated in various applications. 
With Microsoft COM the ExSpect Server can be integrated in Visual Basic, JAVA 
and C++ based applications. 

The structure of this paper is as follows. Section 2 discusses the architecture of 
ExSpect 6.4. Functionality that has not been presented in previous publications will be 
described briefly; for known functionality references will be given. Section 3 presents 
the first feature, the interface to other tools. Section 4 describes the option to generate 
Message Sequence Charts. In Section 5, the ExSpect Server is explained. Section 6 
formulates conclusions and indicates plans for future development. 



2 Architecture of ExSpect 

Fig. 1 depicts the architecture of ExSpect. We will now describe the modules of this 
architecture. 

The heart of ExSpect is the ExSpect Server (engine). It is able to execute the 
token-game for models that are expressed in the ExSpect language. The 
ExSpect language is a typed functional language close to a subset of the Z- 
language defined in [9]. It is based on hierarchical timed colored Petri nets 
with priorities. The elementary transitions in the ExSpect language have a 
logical relation that describes their consumption-production behavior. A 
precise description of the language can be found in [8] and [10]. 




Fig. 1. The architecture of ExSpect 6.4 

The ExSpect Designer provides a user interface to create new ExSpect models 
and to update existing ones. Creating and installing system, processor, 
function and type components results in an ExSpect model. A detailed 
description of these components and the construction process is given in [7]. 
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Once ExSpect systems are defined and installed, it is possible to perform a 
syntactical check of these systems by activating the module Check. Errors are 
reported and the user can improve the model until it is correct. 

If a closed system, i.e., a system with no input-, output-, or store -pins [6, 9], is 
correct, the ExSpect Engine can simulate it. To display simulation results from 
the ExSpect Engine and to communicate with the engine, the 
Dashboard/TokenAnimation module is used. This module is activated from the 
ExSpect Designer module. The Dashhoard/Token Animation module consists 
of two parts: the dashboard window and the token animation windows 
(available for each system). 

The Dashboard window is used to monitor and edit the contents of 
channels (i.e., places) during a simulation run. A user can place several 
types of DashBoard Objects (DBOs) on the dashboard. Every DBO either 
shows a graphical representation of the contents of a channel or allows the 
user to add tokens to a channel. Eig. 2 depicts all Dashboard objects. The 
newest DBO is the representation of Message Sequence Charts. The 
functionality of DBOs is described in the ExSpect help file [6]. 




Fig. 2. Dashboard objects 

The Token Animation of a system is displayed in one or more Animation- 
windows. Starting point of an animation is the main system, and from that 
point on animations of sub-systems can be opened. Each animation- 
window displays a system in the same way it is displayed hy the Designer, 
but without the editing facilities. When a system is being simulated, the 
movement of the tokens on connectors (i.e., arcs) is animated graphically. 
The value of a token residing in a place can be inspected and a token can 
be added or deleted from the Petri-net during simulation. All DBOs can 
be displayed in the animation-window as well. Eig. 3 is an example of an 
animation window. 
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count_cars_driven_on 









Fig. 3. System animation window 



An important advantage of ExSpect is the development of a number of 
libraries for various types of problems that have been analyzed over the past 
10 years. Libraries are available for modeling workflow, logistics, electronic 
commerce and administrative processes. These libraries can be used in the 
ExSpect Designer. It is easy to create new libraries; only specifications that are 
checked may be used as a library. 

Once an ExSpect file has been created, it is saved as a Process Definition file . 
The ExSpect engine uses a Checked and Compiled version of the Process 
Definition file. 

Import and export files that can be used by the Dashboard/TokenAnimation 
model are flat Text or Spreadsheet files. The content of these files can be read 
before and written after a simulation. 

Send/Receive-Tokens is an application that is able to put token values from a 
file in an ExSpect channel and it is able to get a token value from an ExSpect 
channel and put it in a file. The precise functionality is described in the 
ExSpect help file [6]. Windows applications use Send/Receive-Tokens to 
communicate with ExSpect. The file-interface offered by Send/Receive- 
Tokens is an alternative communication channel for the one offered by the 
ExSpect Server. 

The Windows-application is not really part of the ExSpect application. It 
signifies a COM-application that can communicate with the ExSpect Engine in 
process. 



3 Interfaces with Other Tools 

Interfaces with other tools give ExSpect the ‘ease of use’ in simulating and carrying 
out quantitative analysis of workflows. Two interfaces are discussed: the PROTOS- 
ExSpect and the COSA®-ExSpect interface. 
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3.1 Interface between PROTOS and ExSpect 

PROTOS [13] is used for business process modeling. It is designed to enable users to 
describe their business process in an intuitive way. It has no underlying semantics, or 
at least a weaker form than ExSpect. If a user takes into account a number of 
restrictions, a PROTOS model can be transformed into an ExSpect model by the so- 
called Vmspect application. 

There are two aspects that play a role in this transformation. The first is the way in 
which PROTOS processes are translated into ExSpect processes and the second is the 
definition of statistical functions in PROTOS. We will first discuss the way PROTOS 
processes relate to ExSpect processes. Fig. 4 depicts three PROTOS processes. The 
first illustrates how a process can be defined in PROTOS: transitions, called activities 
in PROTOS, are connected directly to other activities. The second and the third 
processes illustrate that the interpretation of the first process may cause confusion. 
Does the first process correspond to the second or the third process? The Prospect 
application always assumes that places should be inserted on all arcs between two 
activities. (Situation 2 in Fig. 4.) 





Fig. 4. Three PROTOS processes 



PROTOS offers dedicated windows to add simulation settings to a process 
definition. Simulation settings of four types are introduced in a PROTOS model 1) 
per activity, 2) per role, 3) for a process model and 4) per choice-construction: 

1) For each activity the necessary number of persons to execute the activity has 
to be put in. The relative frequency of an activity related to other activities has 
to be entered and service times have to be entered in the form of a probability 
distribution. Optionally a priority and the cost of an activity can he inserted. 

2) In PROTOS each activity is connected to a role. For each process definition 
the number of resources available in that role have to be entered. 

3) For each process, settings concerning reliability have to be entered as well as 
an arrival pattern. The reliability information of the simulation includes: the 
number of cases per batch, the number of batches, the number of sub-runs, the 
length of a sub-run, the number of start-runs. An arrival pattern is given by a 
probability distribution; often this is the negative exponential distribution. 

4) The choice construction is the construction in which a choice is based on the 
value of the data element. The information that is added specifies the 
conditions to be used. 
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If the process definition extended with simulation data is correct then after the 
transformation hy Prospect the result can directly he simulated in ExSpect. 



3.2 Interface between COSA and ExSpect 

A similar simulation model as obtained with PROTOS, can be obtained from the 
workflow management system COSA® [15]. Also a number of simulation settings has 
to be added. Since COSA® is a Petri net based tool, the translation is straightforward. 
The application that translates a COSA® model to an ExSpect model is called C02EX. 



4 Generate Message Sequence Charts During Simulation 

During simulation ExSpect can generate Message Sequence Charts (MSCs) [5]. We 
illustrate this feature by means of the Transit process, which has been modeled in 
ExSpect in a design project for European Commission. Transit is a European customs 
process. It controls the communication between organizations that exchange messages 
about a transit declaration of goods between member states of the European Union. 
With the model, particular interaction scenarios were generated. Eig. 5 shows a 
number of ExSpect systems. ‘NCTS’ represent roles of organizations. Eig. 5 also 
shows an MSC that corresponds with these roles. The MSCs are particularly useful to 
evaluate interaction scenarios between roles. MSCs are derived from an ExSpect 
system by monitoring the communication channels between roles. In case of the 
example an internal channel in the system ‘network’ is monitored. 






•o 

d 












TADEP OOD0> OODEST TADEST 



MCTS Accompenylng Documents 






Fig. 5. Actor system and Message Sequence Chart 

Each message token in a message channel is monitored: the sender and recipient of 
the token are registered. This results in an arrow in the MSC at the right-hand side of 
Eig. 5. In the ExSpect help file [6] a technical description of the DBO MSC is given. 

UML (Unified Modeling Language), see [3] has been accepted as standard 
modeling language, where designers often have to conform to. UML Sequence 
Diagrams (SDs) model the interaction between objects. A designer can interactively 
construct SDs with tools. However, (s)he cannot verify these SDs with other models 
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like state charts or activity diagrams. Because an MSC is similar to a SD and because 
an MSC represents one particular trace of the dynamic behavior of a system, ExSpect 
can be used to validate these diagrams with the integrated system description in 
'ExSpect. 



5 ExSpecf as a COM-Component 

Recently, the Ex5/?ect engine has been isolated from the other parts of ^xSpect and 
made a COM component [12] with a well-defined interface. This offers the 
opportunity to develop applications with “Ex5/)ec/-inside”. In applications of this type 
ExSpect handles the control flow while the user interface and the integration with data 
can be handled by the window application (called the client). Microsoft COM 
components can be integrated in a number of programming environments. Some of 
the well known are Visual Basic, Java and C-H-. 

A client can interact with the ExSpect COM server through methods and events of 
the server’s Application Programming Interface (API). The API intervenes in the 
process of the engine. A client calls methods and the server triggers events as 
illustrated in Pig. 6. 



ExS Server 







Methods 




Engine 


API 


Events 


Client 



Fig. 6. Interaction between the ExSpect server and clients (windows applications) 

The process of invoking methods and receiving events is asynchronous. After a 
client invokes a method it expects an event as a response. A period of time passes 
before the client is reached. Meanwhile the client is blocked to avoid synchronization 
problems. 

The methods of the API are: AddBreakpoint, ConsumeToken, Continue, GetTime, 
GetTokenValue, HaltAfterSteps, HaltOnTime, Idle, Init, LoadState, Pause, 
ProduceToken, RemoveBreakpoint, SaveState, TracePlace and UntracePlace. 

The events of the API are: Consume, Continue, FireEnd, FireStart, Initialised, 
Paused, PlaceType, Present and Produce. 

With these methods and events and a thorough understanding of the protocol 
between the ExSpect Server and its Clients, it is possible to obtain the same 
monitoring and control options as one would have with the ExSpect Simulator and 
Dashboard. Presently, a tutorial on the ExSpect Server is developed that describes all 
methods, events and protocols in detail. 

Pig. 7 shows an MSC, which is an example of an ExSpect Client - Server protocol. 
This protocol illustrates the following. To start client-server interaction a client calls 
the method Init. As a result a client receives an event PlaceType for every place in the 
system for which the “show in simulation” option is selected [6] and it also receives 
an event Initialised from the COM server. The event PlaceType provides information 
concerning the type of a place while the event Initialised indicates if the initialization 
has succeeded or failed. After initialization a client can start with the simulation by 
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calling method Continue. A client will receive event Continued as an 
acknowledgement. In case of more than one client, the COM server will broadcast 
event Continued to all clients. To interrupt the simulation a client has to call method 
Pause. Event Paused will be sent by the COM server. In this case there will also be a 
broadcast to all clients if there is more than one client connected to the COM server. 

Client COM server 

I Init ^ I 











PlaceType 






Initialised 






Continue 






Continued 






Pause / AddBreakpoint / 
HallAfterSteos / HaltOnTimek. 




Paused 





Fig. 7. ExSpect Client - Server protocol 



6 Conclusions and Future Developments 

This paper demonstrates a number of new features of ExSpect. In the past ten years 
the high level Petri-net concept appeared to be successful in solving a number of 
modeling problems in workflow, logistics and electronic commerce. Users requested 
changes of other aspects, such as user-friendliness, better integration with other tools 
and the capability to create prototypes rather then specifications of systems. 

ExSpect addressed these requests by: 

improving the user interface and creating interfaces to other tools, 
offering the possibility to view aspects of a system, such as MSCs, 
“componentizing” the ExSpect engine and thereby offering the possibility to 
create user dedicated interfaces for ExSpect. 

In the future the tool will be extended with other architectural views, such as a 
component view [11]. Also an attempt will be made to add workflow verification 
options to ExSpect [16]. 
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#define GRAPH depth_first 
//#define GRAPH breadth_f irst 








//#define REACHABILITY 
//#define MODELCHECKING 
//#define BOUNDEDPLACE 
//#define BOUNDEDNET 
#define DEADTRANSITION 
//#define REVERSIBILITY 
//#define HOME 
//#define FINDPATH 
//#define FULL 








Fig. 1. g 




g 


/ / mm 








g g m 


m 




t 


- 


g ymm y 




y g 


g 


gy ymm 


y g 






t 


y 




g 


t g m 




m 


m g 

y 


g t 


g m 






g 




m 


IF strategy = 


depth_Eirst . . . 




m 


y 


y 


m m 


g 


m 


y 


y 


m 


m 








m- 


y 


- 






g 


m 




g g 


g 






g m g 


g 


- m 




m 


g 3 0 y 




y 




m 


m 




m g 




y 


m 


g 




PLACE eatingO, eatingl, ( ) 

thinking2 , thinkings , thinking4 ; 

MARKING thinkingO : 1, thinkingl : 1, ( ), fork4 : 1; 

TRANSITION releaseleftO 
CONSUME eatingO; 1; 

PRODUCE hasrightO: 1, forkO: 1; 

( ) 

TRANSITION takeright4 
CONSUME hasleft4: 1, forkO: 1; 

PRODUCE eating4; 1; 



Fig. 2. 



g 



3 State Space Exploration Techniques in LoLA 



y g 



g 



y 



m 



y 



m 


ymm 






m 


m 






ymm 


y - 


y 


y g 


g 




ymm 


y g g 




m 


m 


_ 


g 


g 


g 






g 


ymm 


y g 




m 






g 


y 




g m 




ymm 






ymm 






0 










y 


g 


y 




y 


m 


g 



gy 

g 



y 



y 



y 



ymm y 



y 



y 



g 



y 



m 



g m mm 

y 

mg y 



z y m 
ymm y 



y 



y m 



m 



y 




# lola ph500.net -S 
2500 Places 

2000 Transitions 
computing symmetries... 

499 generators in 1 groups for 500 symmetries found. 

0 dead branches entered during calculation. 

»»> 1499 States, 2496Edges, 1499 Hash table entries 
»»> 1 States, OEdges, 1 Hash table entries 
not reversible: no return to mO from reported state 
STATE 

hasleftO : 1, 
hasleftl : 1, 

(. . .) 

hasleft499 : 1 

# 



Fig. 3. g 

my g 

00 g y m 

z 

y 

m gy 



y g 



ph500 .net 




g 


g 


m 


ymm 




4 




m 




m 


m 


g 





000 



g 

g 

mm m 



y y 

000 3 1000 g ymm 

3000 

g m 



4 Attracted Simulation 



g 

g m 

m 



y g g 

y m 



m 



m 



m 



m g 3 10000 



y g g 

y g my 

m g ] 

0000 



ym- 



g 



y 



y 

m 

y 






m 






in 


g 








g m 


m 




y g 


g m 


g 




m y 


y 


g 








y 


m 








m 


0 m 


00 


000 


m 




000 








g 


m 


m 


m 


m 


m m y 


y 


m - 








m 


y m 






y 


y 








g mm 


g 





5 Implementation Details 




m 


g 


m 


y 


y g m 


gy m 


fly g 


g m 




y g 


g 


g 



5.1 


State Space Management 










g y 








m 


m 


m 




g 










y 






m 




my 




ymm 


m 








m 


ymm y g 








m 


gym 




m g 




m 


m 




g 




ymm 


y g 








m 




y 






m 


3 


m 


g 3 




m 


m 




y 


g 


m 






m 


m 


gy 


m 




m 


g 


y y 


m 


y 


y 






m 


g m 


m 




g 








y 


y 


g 


m 


y 




g 


y 




g 




m m 




g 










g 




m m 














ymm 


fl 






m g 




ymm y 


ymm y 




m 


m 


y 




ymm 










ymm y 


g 


y g 


g 












m 


g 






g 


y 




y g 


Karp-Miller 


y 3 




Finkel 


y 






m 




y 








m g 




y 


y 


y g 






y 








y 




g 


y 










) 


Performance 














400 z m 








y g 


g 






g 


000 






0 


00 




000 












000 m 


400 






g 


m 




00000 










y 


z 


ymm y 














m 




g 


ymm 


y 


g 


g 


y g 






g 








ymm y g 














m 




g 


m 




m 




g 










i 

g 



7 Availability 



g 

http : / /www . inf ormatik . hu-berlin . de/~kschmidt /lola . html 

m 



y m 

g 

mm m 

flex 



m 



g 



bison 




8 Future Work 



g g y m 

m - 
m 
g 



g 



y 

m 



References 



p Proc. 11th International 

Conference on Application and Theory of Petri nets p 



P 

and Systems, IEEE 1995 p 
P 

System Sciences 4 P 



P PP 

3rd Israel Symp. on the Theory of Computing 
p Journ. Computer and 

Informatik-Bericht 

Acta Informatica p 



Proc. 6th 

International Conference Tools and Algorithms for the Construction and Analysis 
of Systems p 

PP Fundamenta Informaticae 

p p 20th International Conference 

on Application and Theory of Petri nets, p 

p Proc. 9th 

European Workshop on Application and Theory of Petri Nets, 

p Petri net Newsletter 46 p 



CONCUR, LNCS 715 p 



Proc. 




Woflan 2.0 

A Petri-Net-Based Workflow Diagnosis Tool 
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Abstract. Workflow management technology promises a flexible solution facil- 
itating the easy creation of new business processes and modification of existing 
ones. Unfortunately, most of today’s workflow products allow for erroneous pro- 
cesses to be put in production: these products lack proper verification mechanisms 
in their process-definition tools for the created or modified processes. This paper 
presents the workflow diagnosis tool Woflan, which fills this gap. Using Petri-net 
based techniques, Woflan diagnoses process definitions before they are put into 
production. These process definitions can be imported from commercial work- 
flow products. Furthermore, Woflan guides the modeler of a workflow process 
definition towards finding and correcting possible errors. 



1 Introduction 

Today’s workflow management systems are ill suited to dealing with frequent changes: 
there are hardly any checks to assure some minimal level of correctness on the process 
[Aal98, AHOO]. Even a simple change like adding a task can cause serious problems like 
deadlock or livelock. As a result, an erroneous process definition may be taken into pro- 
duction as a workflow, causing dramatic problems for the organization. Therefore, it is 
important to verify the correctness of a process definition before it becomes operational. 
The role of verification becomes even more important as many enterprises are making 
Total Quality Management (TQM) one of their focal points. Eor example, an ISO 9000 
certification and compliance forces companies to document business processes and to 
meet self-imposed quality goals [IC96]. Clearly, verification of these process definitions 
can be used to ensure certain levels of quality. 

The tool Woflan was built in response to the need for a workflow verification tool. 
Right from the start, three requirements have been imposed on the tool: 

1 . Woflan should be independent of the process definition tool used by the modeler. 

2. Woflan should be able to handle complex process definitions (up to hundreds of 
tasks). 

3. Woflan should give the modeler to-the-point diagnostic information to find and 
repair errors. 

Based on these requirements, we decided to use Petri nets because they are a univer- 
sal modeling language with a solid mathematical foundation, are close to diagramming 
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techniques used in practice, and have efficient analysis techniques that are already avail- 
able. The primary goal of the Woflan tool is to verify a process definition, i.e., to check 
whether a process definition is a workflow process definition that satisfies the so-called 
soundness property [Aal97, Aal98]. 

Workflow process definition A process definition is called a workflow process defini- 
tion if it has a single start condition (indicating the arrival of a new case), a single 
end condition (indicating the completion of a case) and if all tasks contribute to 
completing a newly-arrived case. 

Soundness property A workflow process definition is called sound if it is always pos- 
sible to complete a case (i.e., if it is always possible to reach the end condition), if 
completion is always proper (i.e., if no references to the case are left behind when 
it reaches the end condition), and if every task can be executed in some way. 

In case the process dchnition is not a workflow process definition that satishes the 
soundness property, Woflan’s diagnostic information guides the developer towards find- 
ing and correcting the errors. 

First, we explain the terminology used in this paper. Second, we describe the archi- 
tecture of the tool. Third, we discuss the properties used by the tool to decide whether it 
is a sound workflow process dehnition. Fourth, we introduce the diagnosis process that 
helps the developer in finding and correcting the errors. Fifth, we discuss a number of 
import- and export biters from third party (WFMS, BPR) tools that increase Woflan’s 
usefulness, using a diagnosis process definition as example. Sixth, we diagnose and 
correct the flawed diagnosis process definition. Last, we conclude with conclusions and 
future work. 

2 Terminology 

The terminology used in this paper is based on the terminology used by the WfMC 
[WFM96]. However, to avoid confusion within the Petri-net community, we use the 
term condition instead of transition to describe places. Table 1 shows the mapping from 
the workflow terms [WFM96] used in this paper to Petri-net related terms. For some 
non-standard terms a brief explanation is given. 

Short-Circuited Net In [Aal97] it has been shown that a workflow net is sound if and 
only if that net extended with an extra transition (called EXTENSION in Woflan) from 
the sink place(s) to the source place(s) is bounded and live. This extended net is called 
the short-circuited net. 

In the remainder of this paper, we want to avoid mentioning the short-circuited net 
over and over again. For this reason, some properties of a process definition are defined 
(see Table 1 ) on the short-circuited P/T net, while others are defined on the original P/T 
net. 

Restricted Coverability Graph A restricted coverability graph (RCG) is a coverability 
graph (CG) except for the fact that infinite states are not expanded during construction 
of the RCG. Like a CG, an RCG is not uniquely defined if the net is unbounded. If no 
infinite states exist, an RCG equals the occurrence graph (OG) [VBA99]. 
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Task 


Transition 


Start condition 


Source place 


End condition 
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Useless task or condition 


Strongly unconnected nodes in the short-circuited net 


Thread of control 


S-component in short-circuited net projected to places 


Uniform invariant 


P-invariant in short-circuited net containing only weights 0 
and 1 


Weighted invariant 


P-invariant in the short-circuited net containing only semi- 
positive weights 


Proper condition 


Bounded place in minimal coverability graph (MCG, 
[Fin93]) of short-circuited net 


Improper scenario 


Unbounded sequence in restricted coverability graph (RCG, 
[VBA99]) of short-circuited net 


Live task 


Live transition in RCG of short-circuited net 


Dead task 


Dead transition in MCG of short-circuited net 


Deadlock scenario 


Non-live sequence in RCG of short-circuited net 


Confusion 


Non-free-choice cluster [DE95] in short-circuited net 


AND-OR mismatch 


TP-handle [EN94] in short-circuited net 


OR- AND mismatch 


PT-handle [EN94] in short-circuited net 



Table 1. Mapping from workflow terms to Petri-net terms 



Sequence A sequence is a firing sequence of minimal length (e.g., paths in the (R)CG) 
such that states with a given property become unavoidable (fairness etc. assumed). It is 
minimal in the sense that up to the last-but-one transition in the sequence (e.g., the last- 
but-one state in the path) the property is avoidable: the last transition in the sequence 
(e.g., the last edge in the RCG) makes the property unavoidable. 

3 Architecture 

The core of Woflan consists of Petri-net-based analysis routines. Using these routines, 
Woflan can verify the soundness of a given process definition. This soundness prop- 
erty is the minimal requirement any workflow process definition should satisfy. Be- 
cause soundness is equivalent to the boundedness and liveness of the short-circuited 
WF net [Aal97], it can be verified using standard Petri-net techniques. Although it is 
possible to verify the soundness property for many process definitions in polynomial 
time, Woflan uses the general approach by constructing a minimal and/or restricted 
coverability graph. The diagnosis of the process definition is also partly based on these 
constructed CG’s. The Woflan tool contains a number of modules: 

1 . One GUI module (wo f app), 

2. One analysis module (wof dll) for loading, verifying and diagnosing process def- 
initions, and 
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3. Three conversion modules (scr2 tpn, wil2 tpn, and gwd.2 tpn) for process def- 
initions from commercial products (Cosa [SL98], Meteor [SKM], resp. Staffware 
[Sta97], 

The GUT and conversion modules are implemented in the main executable (called 
wofapp. exe). To support the use of Woflan as a back-end tool, the analysis mod- 
ule is implemented in a separate DLL (wof dll . dll). 

4 Properties 

Soundness of a workflow process definition is equivalent to that definition being proper 
and live, i.e., all conditions must be proper and all tasks must be live. Therefore, to 
decide soundness, Woflan computes whether all conditions are proper and all tasks are 
live. Preceding these two properties, Woflan has to decide whether or not the process 
definition is indeed a workflow process definition. 

4.1 Workflow 

The definition of a workflow process definition is straightforward: it should be a process 
definition with exactly one start condition, exactly one end condition, and no useless 
tasks or conditions. Because these properties are of a structural nature and do not require 
the construction of an MCG, RCG or OG, they are relative easy to check. 

4.2 Properness 

Properness of conditions can be decided using the conventional method, i.e., by gener- 
ating the net’s MCG etc. However, because of its complexity, we would like to avoid 
this if possible. Fortunately, there are alternatives that are less expensive from a compu- 
tational point of view: all conditions covered by threads of control, uniform invariants 
or weighted invariants are proper. Because a thread of control is also a uniform invariant 
and a uniform invariant is also a weighted invariant, we have ordered these alternatives 
from more desirable to less desirable. 



Threads of Control From the workflow point of view, threads of control are very desir- 
able. A workflow case typically consists of a number of documents. Each document has 
its own route through the workflow. A thread of control coincides with such a document 
route. So, if threads of control cover a workflow process definition, then each workflow 
case can be split into a number of documents such that each condition can be linked to 
some (possibly all) of these documents. If there is not such a cover, the uncovered con- 
ditions cannot be linked to any document. As a result, for a workflow process definition 
to be sound, both confusions and mismatches have to be present [VBA99]. Apparently, 
these constructions are vital to ‘cure’ the net from these uncovered conditions. This 
soundness-related property is called interim soundness: a process definition containing 
uncovered conditions is called interim sound if and only if it contains confusions and 
mismatches. 
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Diagnostic Properties If a definition contains improper conditions, Woflan computes 
some additional properties that can help finding and correcting the properness problem: 
AND-OR mismatches (they endanger propemess), confusions, and improper scenarios. 

4.3 Liveness 

Suppose we have a process definition that can be covered by invariants (i.e., that con- 
tains no improper conditions), that can not be covered by threads of control, and that 
has either no confusions or no mismatches. For such a definition we can conclude that 
it is unsound, i.e., it contains non-live tasks. 

Likewise, suppose we have a process definition containing no improper conditions 
and for which we have detected substates during the construction of the MCG. A reach- 
able markings M\ is a substate of another reachable marking M 2 iff M\ < M 2 - At this 
point, we can conclude that from M\ the extra task EXTENSION is dead. 

Otherwise, Woflan has no method yet to decide liveness without generating the 
OG. Note that generating this OG is only possible if the process definition contains no 
improper conditions. 

Diagnostic Properties If a definition contains non-live tasks, Wollan computes some 
additional properties that can help finding and correcting the liveness problem: GR- 
AND mismatches (they endanger liveness), confusions, dead tasks, and deadlock sce- 
narios. 

5 Diagnosis 

Based on practical experiences with earlier versions of Woflan we have developed a 
method for detecting errors in a workflow process. This method is supported by Woflan 

2.0 and uses the diagnosis process shown in Figure 1. The diagnosis process can either 
be executed in-succession or step-by-step. In the latter case, dialogs are used to com- 
municate with the user. First, we give the diagnosis process. Second, we explain one of 
the dialogs in detail, using the diagnosis process as shown before as example. Last, we 
explain the general view in detail, using again the diagnosis process itself. Please note 
that Figure 1 is used both as a meta-model describing the functionality of Woflan and 
as a concrete example of a workflow process. 

5.1 Process 

Because of the fact that we need the OG (and therefore a workflow process definition 
containing no improper conditions) for deciding liveness, it is obvious to decide it only 
if the workflow process definition has been proven to contain only proper conditions. 
Because the workflow properties are easy to check, Woflan starts with them. As a result, 
the main steps in the diagnostic process are: 

1 . Decide workflow, 

2. Decide properness, and 

3. Decide liveness. 
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Fig. 1. Diagnosis process, modeled using Protos [Pal97] 



If some step fails, there is not much use in continuing with the next step. The modeler 
of the process definition hrst has to correct the errors present. 

Figure 1 shows a graphical representation of the diagnosis process definition. Note 
that in some cases the diagnosis process may he continued when unsoundness of the 
process definition has been detected. The reason for this is to collect more diagnostic 
information. 
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5.2 Dialogs 

The diagnosis process uses a series of dialogs to guide the user step-by-step through 
the process. Depending on the diagnostic results, either a next dialog is presented or the 
process is finished (end of diagnosis). Properties that are likely to be of interest 
to the modeler are automatically unfolded. As running example, we take the diagnosis 
process definition as shown in Figure 1 and show the dialog concerning the thread of 
control cover. 



Thread of Control Cover? The dialog as shown in Figure 2 shows that, using previ- 
ous dialogs, Woflan has concluded that the diagnosis process definition is a workflow 
process definition, but that no threads of control exist. As a result, the 20 conditions of 
the diagnosis process definition are listed. 



Proper conditions I 






X 



The process definition is aworkflow 
process definition 

Are ell conditions in the process definition 
covered by some thread of control? 



B X Threads of control: 0; 

B X Uncovered conditions: 20 
ffl O ell 
!£ O Cl6 
B O c21 
E O c25 
ffl O c29 
ffl O C34 
ra O cA 
a O c5 

a O GLOBAL.END 
a O GLOBAL.START 
a O lmproper_WPD 
ffl O No.WPD 
ffl O Process_definition 

ffl O Proper unsound_WPD 

ffl O Proper.WPD 
ffl O Proper_WPD_ 
ffl O Sound.WPD 
ffl O Unsound 



I Ne> 



Help 



Fig. 2. Example ’’Thread of control cover?” dialog 



5.3 Diagnosis View 

The diagnosis view shows all properties of the process definition in a tree-like manner. 
At the root, the name of the process definition file is shown. This root node has two 
child nodes: the upper for the diagnosis results, the lower for the diagnostic properties. 
The diagnosis results node shows in brief the results on the main properties (workflow, 
safeness, liveness, soundness). The diagnostic properties node combines the diagnostic 
information from all dialogs. 
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File View Diagnosis Help 


-iDlxl 


^ >»i>i f i>t?r 





1 Bl F:\Papers\atpn2000\diagnosis.tpn 
Q X Diagnosis 

^ The process definition is a workflow process definition 
B X The workflow process definition can not be sound 

^ Some conditions are not covered by threads of control 
O There are no confusions and/or no mismatches 
® ^ All conditions ere proper 
X Some tasks are dead 
B O Properties 

ffi ^ Process definition 
Et ^ Workflow process definition 
[f ^ Condition properness 
IS X Interim soundness 
a X Task liveness 
- X Dead tasks: 2 

□ end_of_diagnosis 

□ EXTENSION 



For Help, press FI 



Soundness: X 



Fig. 3. Example diagnosis view 



6 Links to Third-Party Software 

Wofian embeds three filters to import third party process definition files: 

1. For Cosa [SL98] script files (* . scr), 

2. For Meteor [SKM] workflow files (* . wil), and 

3. For Staffware [Sta97] (* .xfr) files. 

Furthermore, the BPR tool Protos [Pal97] comes with an additional Wofian export 
filter, which uses Cosa script files as an intermediate format. Each embedded filter 
shows the results (which could be error messages) of the import process in a dialog. 
For readability’s sake the comments are colored gray, the keywords green, and error 
messages red. 

The dialog as shown in Figure 4 results from the diagnosis process definition (see 
Figure 1) that was designed using Protos, exported to Wofian (i.e., to a Cosa script file) 
and imported by Wofian’s Cosa import filter. Note that the Cosa import filter automati- 
cally added a start condition (GLOBAL_START), an end condition (GLOBAL_END), and 
a token in the start condition representing a newly-arrived case. 

7 Example 

Apparently, the diagnosis process definition from Figure 1 is unsound. In this case, par- 
ticularly the dead tasks are of interest. Note that the short-circuiting task EXTENSION 
is dead. As a result, all tasks are non-live. The task EXTENSION can only be dead if task 
end_of -diagnosis is dead, which is dead because it acts as an AND-join instead 
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Conversion from Cosa 



- Generated by cxi2tpn, a Cosa to TPNtranslalor. (QTUE 1 99? |i OK 

- Input File F \Papers\atpn2000\diagnosis.scr 

Cancel 

place GLOBAL START initi; 

place GLOBAL.END; 

place c4; 

place c5; 

place ell; 

place cl 6; 

place c21; 

place c25: 

place c29; 

place c34; 

place No_WPD; 

place WPD; 

place Pfocess_detinition; 
place Sound_WPD; 
place Proper.WPD; 
place Proper_WPD j 
place Unsound_WPD; 
place Unsound: 
place lmproper_WPD; 

niftro Prnnor iineniinH WPD 



Fig. 4. Example import filter dialog 



of an OR-join. Protos’ export filter and Wofian’s import filter allow to have this prop- 
erty changed in Protos, both filters can handle a task which acts as an OR-join (split) 
instead of as an AND-join (split). After changing this property in Protos, exporting it to 
Woflan and importing the resulting Cosa script file, the diagnosis process appears to be 
a sound workflow process definition. Although this error seems trivial, taking a work- 
flow with such a flawed process definition into production will result in much irritation 
and agony: prevention is better than cure. Also note that real world examples are not as 
straightforward as the workflow process definition shown in Figure 1 . 

8 Conclusions and Future Work 

For several commercial WFMS/BPR products, Woflan can be used to verify a process 
definition, checking both syntactic (cf Section 4.1) and behavioral (cf. Sections 4.2 
and 4.3) properties. By using Woflan and its state-of-the-art techniques it is possible to 
prevent that an unsound workflow is taken into production. 

In the nearby future we hope to extend Woflan with two more features: transition 
invariants and visualization. 

A sound workflow process definition is covered by non-negative transition invari- 
ants. If the process definition is safe, a task that is not covered by these invariants cannot 
be live. In a next version of Woflan we hope to use this property to avoid the use of the 
OG, if possible. 

We also would like to visualize the diagnosis results in some intuitive way, us- 
ing Petri nets of course. If possible, we even want to visualize these results in the 
WFMS/BPR tool the modeler is using. To support this use of Woflan as a back-end 
tool, we separated the analysis techniques from the rest of the tool. 

Woflan can be downloaded from [VA]. 
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